codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-27 17:46:05 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

correct information leak in page not found

Browse source
This commit is contained in:
Sam 2013-06-13 10:27:17 +10:00
parent c47239b536
commit e6e81efe85
6 changed files with 22 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
app/controllers/application_controller.rb
View file

@ -278,9 +278,8 @@ class ApplicationController < ActionController::Base
end
def render_not_found_page(status=404)
f = Topic.where(deleted_at: nil, archetype: "regular")
@latest = f.order('views desc').take(10)
@recent = f.order('created_at desc').take(10)
@top_viewed = TopicQuery.top_viewed(10)
@recent = TopicQuery.recent(10)
@slug = params[:slug].class == String ? params[:slug] : ''
@slug = (params[:id].class == String ? params[:id] : '') if @slug.blank?
@slug.gsub!('-',' ')

2
app/models/topic.rb
View file

@ -96,7 +96,7 @@ class Topic < ActiveRecord::Base
scope :created_since, lambda { |time_ago| where('created_at > ?', time_ago) }
scope :secured, lambda {|guardian|
scope :secured, lambda {|guardian=nil|
ids = guardian.secure_category_ids if guardian
# Query conditions

6
app/views/exceptions/not_found.html.erb
View file

@ -4,8 +4,8 @@
<table>
<tr>
<td style="vertical-align:top; padding:0 20px 20px 0;">
<h2><%= t 'page_not_found.latest_topics' %></h2>
<% @latest.each do |t| %>
<h2><%= t 'page_not_found.popular_topics' %></h2>
<% @top_viewed.each do |t| %>
<%= link_to t.title, t.relative_url %><br/>
<% end %>
<br/>
@ -17,7 +17,7 @@
<%= link_to t.title, t.relative_url %><br/>
<% end %>
<br/>
<a href="/new" class="btn"><%= t 'page_not_found.see_more' %>&hellip;</a>
<a href="/latest" class="btn"><%= t 'page_not_found.see_more' %>&hellip;</a>
</td>
</tr>
</table>

2
config/locales/server.en.yml
View file

@ -1007,7 +1007,7 @@ en:
page_not_found:
title: "The page you requested doesn't exist on this discussion forum. Perhaps we can help find it, or another topic like it:"
latest_topics: "Latest topics"
popular_topics: "Popular topics"
recent_topics: "Recent topics"
see_more: "See More"
search_title: "Search for this topic"

8
lib/topic_query.rb
View file

@ -63,6 +63,14 @@ class TopicQuery
"CASE WHEN (topics.pinned_at IS NOT NULL) THEN 0 ELSE 1 END, topics.bumped_at DESC"
end
def top_viewed(max)
Topic.listable_topics.visible.secured.order('views desc').take(10)
end
def recent(max)
Topic.listable_topics.visible.secured.order('created_at desc').take(10)
end
end
def initialize(user=nil, opts={})

9
spec/components/topic_query_spec.rb
View file

@ -20,17 +20,22 @@ describe TopicQuery do
category.save
topic = Fabricate(:topic, category: category)
topic = Fabricate(:topic, visible: false)
TopicQuery.new(nil).list_latest.topics.count.should == 0
TopicQuery.new(user).list_latest.topics.count.should == 0
# mods can see every group
TopicQuery.new(moderator).list_latest.topics.count.should == 2
TopicQuery.top_viewed(10).count.should == 0
TopicQuery.recent(10).count.should == 0
# mods can see every group and hidden topics
TopicQuery.new(moderator).list_latest.topics.count.should == 3
group.add(user)
group.save
TopicQuery.new(user).list_latest.topics.count.should == 2
end
end