SECURITY: Don't leak user of previous whisper post when deleting a topic.

A topic's last poster can be incorrectly set to a user of a whisper post if the whisper post is before the last post and the last post is deleted.
2021-07-23 14:50:28 +08:00 · 2021-07-23 14:50:28 +08:00 · 2923abdec7
parent 303e9e42b6
commit 2923abdec7
2 changed files with 17 additions and 0 deletions
--- a/lib/post_destroyer.rb
+++ b/lib/post_destroyer.rb
@ -258,6 +258,7 @@ class PostDestroyer
      .select(:created_at, :user_id, :post_number)
      .where("topic_id = ? and id <> ?", @post.topic_id, @post.id)
      .where.not(user_id: nil)
+      .where.not(post_type: Post.types[:whisper])
      .order('created_at desc')
      .limit(1)
      .first
--- a/spec/components/post_destroyer_spec.rb
+++ b/spec/components/post_destroyer_spec.rb
@ -616,6 +616,22 @@ describe PostDestroyer do
    end
  end

+  describe "deleting a post directly after a whisper" do
+    before do
+      SiteSetting.enable_whispers = true
+    end
+
+    it 'should not set Topic#last_post_user_id to a whisperer' do
+      post_1 = create_post(topic: post.topic, user: moderator)
+      whisper_1 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
+      whisper_2 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
+
+      PostDestroyer.new(admin, whisper_2).destroy
+
+      expect(post.topic.reload.last_post_user_id).to eq(post_1.user.id)
+    end
+  end
+
  context 'deleting the second post in a topic' do

    fab!(:user) { Fabricate(:user) }