SECURITY: don't reveal category details to users that do not have access

2019-08-19 12:38:28 +05:30 · 2019-08-19 12:38:28 +05:30 · 24f94c40a6
parent 897cdfb596
commit 24f94c40a6
2 changed files with 29 additions and 0 deletions
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@ -117,6 +117,8 @@ class CategoriesController < ApplicationController
  end

  def show
+    guardian.ensure_can_see!(@category)
+
    if Category.topic_create_allowed(guardian).where(id: @category.id).exists?
      @category.permission = CategoryGroup.permission_types[:full]
    end
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@ -188,6 +188,33 @@ describe CategoriesController do
    end
  end

+  context '#show' do
+    before do
+      category.set_permissions(admins: :full)
+      category.save!
+    end
+
+    it "requires the user to be logged in" do
+      get "/c/#{category.id}/show.json"
+      expect(response.status).to eq(403)
+    end
+
+    describe "logged in" do
+      it "raises an exception if they don't have permission to see it" do
+        admin.update!(admin: false)
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(403)
+      end
+
+      it "renders category for users that have permission" do
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
  context '#destroy' do
    it "requires the user to be logged in" do
      delete "/categories/category.json"