From 24f94c40a6c1097a8d154d6b4896abea096d2d25 Mon Sep 17 00:00:00 2001
From: Arpit Jalan <arpit@techapj.com>
Date: Mon, 19 Aug 2019 12:38:28 +0530
Subject: [PATCH] SECURITY: don't reveal category details to users that do not
 have access

---
 app/controllers/categories_controller.rb    |  2 ++
 spec/requests/categories_controller_spec.rb | 27 +++++++++++++++++++++
 2 files changed, 29 insertions(+)

diff --git a/app/controllers/categories_controller.rb b/app/controllers/categories_controller.rb
index 3ff059c2996..774171395d8 100644
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@@ -117,6 +117,8 @@ class CategoriesController < ApplicationController
   end
 
   def show
+    guardian.ensure_can_see!(@category)
+
     if Category.topic_create_allowed(guardian).where(id: @category.id).exists?
       @category.permission = CategoryGroup.permission_types[:full]
     end
diff --git a/spec/requests/categories_controller_spec.rb b/spec/requests/categories_controller_spec.rb
index cc69d5f4c00..36072d01f2e 100644
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@@ -188,6 +188,33 @@ describe CategoriesController do
     end
   end
 
+  context '#show' do
+    before do
+      category.set_permissions(admins: :full)
+      category.save!
+    end
+
+    it "requires the user to be logged in" do
+      get "/c/#{category.id}/show.json"
+      expect(response.status).to eq(403)
+    end
+
+    describe "logged in" do
+      it "raises an exception if they don't have permission to see it" do
+        admin.update!(admin: false)
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(403)
+      end
+
+      it "renders category for users that have permission" do
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
   context '#destroy' do
     it "requires the user to be logged in" do
       delete "/categories/category.json"