FIX: Return 410 Gone for deleted topics you could otherwise see

This commit is contained in:
Kane York 2015-09-18 00:14:10 -07:00
parent 6c6d3a2159
commit c9e4745fe8
5 changed files with 46 additions and 5 deletions

View file

@ -93,6 +93,11 @@ class TopicsController < ApplicationController
Notification.remove_for(current_user.id, params[:topic_id])
end
if ex.obj && Topic === ex.obj && guardian.can_see_topic_if_not_deleted?(ex.obj)
rescue_discourse_actions(:not_found, 410)
return
end
raise ex
end

View file

@ -43,7 +43,13 @@ module Discourse
class InvalidParameters < StandardError; end
# When they don't have permission to do something
class InvalidAccess < StandardError; end
class InvalidAccess < StandardError
attr_reader :obj
def initialize(msg=nil, obj=nil)
super(msg)
@obj = obj
end
end
# When something they want is not found
class NotFound < StandardError; end

View file

@ -72,6 +72,22 @@ module TopicGuardian
!topic.read_restricted_category? || can_see_category?(topic.category)
end
def can_see_topic_if_not_deleted?(topic)
return false unless topic
# Admins can see everything
return true if is_admin?
# Deleted topics
# return false if topic.deleted_at && !can_see_deleted_topics?
if topic.private_message?
return authenticated? &&
topic.all_allowed_users.where(id: @user.id).exists?
end
# not secure, or I can see it
!topic.read_restricted_category? || can_see_category?(topic.category)
end
def filter_allowed_categories(records)
unless is_admin?
allowed_ids = allowed_category_ids

View file

@ -417,7 +417,7 @@ class TopicView
if @topic.present? && @topic.private_message? && @user.blank?
raise Discourse::NotLoggedIn.new
end
guardian.ensure_can_see!(@topic)
raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless guardian.can_see?(@topic)
end

View file

@ -588,6 +588,8 @@ describe TopicsController do
let(:secure_topic) { Fabricate(:topic, category: secure_category) }
let(:private_topic) { Fabricate(:private_message_topic, user: allowed_user) }
let(:deleted_topic) { Fabricate(:deleted_topic) }
let(:deleted_secure_topic) { Fabricate(:topic, category: secure_category, deleted_at: 1.day.ago) }
let(:deleted_private_topic) { Fabricate(:private_message_topic, user: allowed_user, deleted_at: 1.day.ago) }
let(:nonexist_topic_id) { Topic.last.id + 10000 }
context 'anonymous' do
@ -595,7 +597,9 @@ describe TopicsController do
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 302,
:deleted_topic => 403,
:deleted_topic => 410,
:deleted_secure_topic => 403,
:deleted_private_topic => 302,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
@ -610,6 +614,8 @@ describe TopicsController do
:secure_topic => 302,
:private_topic => 302,
:deleted_topic => 302,
:deleted_secure_topic => 302,
:deleted_private_topic => 302,
:nonexist => 302
}
topics_controller_show_gen_perm_tests(expected, self)
@ -624,7 +630,9 @@ describe TopicsController do
:normal_topic => 200,
:secure_topic => 403,
:private_topic => 403,
:deleted_topic => 403,
:deleted_topic => 410,
:deleted_secure_topic => 403,
:deleted_private_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
@ -639,7 +647,9 @@ describe TopicsController do
:normal_topic => 200,
:secure_topic => 200,
:private_topic => 200,
:deleted_topic => 403,
:deleted_topic => 410,
:deleted_secure_topic => 410,
:deleted_private_topic => 410,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
@ -655,6 +665,8 @@ describe TopicsController do
:secure_topic => 403,
:private_topic => 403,
:deleted_topic => 200,
:deleted_secure_topic => 403,
:deleted_private_topic => 403,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)
@ -670,6 +682,8 @@ describe TopicsController do
:secure_topic => 200,
:private_topic => 200,
:deleted_topic => 200,
:deleted_secure_topic => 200,
:deleted_private_topic => 200,
:nonexist => 404
}
topics_controller_show_gen_perm_tests(expected, self)