SECURITY: Don't leak topic title in the redirect

2024-11-23 15:48:43 -05:00 · 2015-02-04 11:49:05 -08:00 · 2015-02-04 11:49:05 -08:00 · 4c8850108a
commit 4c8850108a
parent 3948a960cd
2 changed files with 17 additions and 0 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -70,6 +70,8 @@ class PostsController < ApplicationController
      user = User.find(params[:user_id].to_i)
      request['u'] = user.username_lower if user
    end
+
+    guardian.ensure_can_see!(post)
    redirect_to post.url
  end

--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@ -821,4 +821,19 @@ describe PostsController do
    end
  end

+  describe "short link" do
+    let(:topic) { Fabricate(:topic) }
+    let(:post) { Fabricate(:post, topic: topic) }
+
+    it "redirects to the topic" do
+      xhr :get, :short_link, post_id: post.id
+      response.should be_redirect
+    end
+
+    it "returns a 403 when access is denied" do
+      Guardian.any_instance.stubs(:can_see?).returns(false)
+      xhr :get, :short_link, post_id: post.id
+      response.should be_forbidden
+    end
+  end
 end