FIX: Do not redirect to a topic user cannot see (#13550)

Inviting a user to a private topic used to redirect them to a 404 page immediately after sign up.
2021-06-30 12:00:47 +03:00 · 2021-06-30 12:00:47 +03:00 · 16227e38ac
parent 95038856c9
commit 16227e38ac
2 changed files with 47 additions and 5 deletions
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -251,11 +251,19 @@ class InvitesController < ApplicationController
      topic = invite.topics.first
      response = {}

-      if user.present? && user.active?
-        response[:redirect_to] = topic.present? ? path(topic.relative_url) : path("/")
-      elsif user.present?
-        response[:message] = I18n.t('invite.confirm_email')
-        cookies[:destination_url] = path(topic.relative_url) if topic.present?
+      if user.present?
+        if user.active?
+          if user.guardian.can_see?(topic)
+            response[:redirect_to] = path(topic.relative_url)
+          else
+            response[:redirect_to] = path("/")
+          end
+        else
+          response[:message] = I18n.t('invite.confirm_email')
+          if user.guardian.can_see?(topic)
+            cookies[:destination_url] = path(topic.relative_url)
+          end
+        end
      end

      render json: success_json.merge(response)
--- a/spec/requests/invites_controller_spec.rb
+++ b/spec/requests/invites_controller_spec.rb
@ -684,6 +684,40 @@ describe InvitesController do
        expect(response.body).to include(I18n.t('login.already_logged_in', current_user: user.username))
      end
    end
+
+    context 'topic invites' do
+      fab!(:invite) { Fabricate(:invite, email: 'test@example.com') }
+
+      fab!(:secured_category) do
+        secured_category = Fabricate(:category)
+        secured_category.permissions = { staff: :full }
+        secured_category.save!
+        secured_category
+      end
+
+      it 'redirects user to topic if activated' do
+        topic = Fabricate(:topic)
+        TopicInvite.create!(invite: invite, topic: topic)
+
+        put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
+        expect(response.parsed_body['redirect_to']).to eq(topic.relative_url)
+      end
+
+      it 'sets destination_url cookie if user is not activated' do
+        topic = Fabricate(:topic)
+        TopicInvite.create!(invite: invite, topic: topic)
+
+        put "/invites/show/#{invite.invite_key}.json"
+        expect(cookies['destination_url']).to eq(topic.relative_url)
+      end
+
+      it 'does not redirect user if they cannot see topic' do
+        TopicInvite.create!(invite: invite, topic: Fabricate(:topic, category: secured_category))
+
+        put "/invites/show/#{invite.invite_key}.json", params: { email_token: invite.email_token }
+        expect(response.parsed_body['redirect_to']).to eq("/")
+      end
+    end
  end

  context '#destroy_all_expired' do