SECURITY: Only publish PM reply messagebus notifications to allowed users

This commit is contained in:
David Taylor 2017-09-08 22:09:05 +01:00 committed by Robin Ward
parent 1d52231f42
commit 1def49cf6c
1 changed files with 7 additions and 1 deletions

View File

@ -150,7 +150,13 @@ class Post < ActiveRecord::Base
}.merge(options)
if Topic.visible_post_types.include?(post_type)
MessageBus.publish(channel, msg, group_ids: topic.secure_group_ids)
if topic.archetype == Archetype.private_message
user_ids = User.where('admin or moderator').pluck(:id)
user_ids |= topic.allowed_users.pluck(:id)
MessageBus.publish(channel, msg, user_ids: user_ids)
else
MessageBus.publish(channel, msg, group_ids: topic.secure_group_ids)
end
else
user_ids = User.where('admin or moderator or id = ?', user_id).pluck(:id)
MessageBus.publish(channel, msg, user_ids: user_ids)