mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-11-27 17:46:05 -05:00
SECURITY: Don't leak topic title in the redirect
This commit is contained in:
parent
3948a960cd
commit
4c8850108a
2 changed files with 17 additions and 0 deletions
|
@ -70,6 +70,8 @@ class PostsController < ApplicationController
|
|||
user = User.find(params[:user_id].to_i)
|
||||
request['u'] = user.username_lower if user
|
||||
end
|
||||
|
||||
guardian.ensure_can_see!(post)
|
||||
redirect_to post.url
|
||||
end
|
||||
|
||||
|
|
|
@ -821,4 +821,19 @@ describe PostsController do
|
|||
end
|
||||
end
|
||||
|
||||
describe "short link" do
|
||||
let(:topic) { Fabricate(:topic) }
|
||||
let(:post) { Fabricate(:post, topic: topic) }
|
||||
|
||||
it "redirects to the topic" do
|
||||
xhr :get, :short_link, post_id: post.id
|
||||
response.should be_redirect
|
||||
end
|
||||
|
||||
it "returns a 403 when access is denied" do
|
||||
Guardian.any_instance.stubs(:can_see?).returns(false)
|
||||
xhr :get, :short_link, post_id: post.id
|
||||
response.should be_forbidden
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in a new issue