SECURITY: TopicView not correctly restricting to topic
This commit is contained in:
parent
cc473f1c5d
commit
2ad756464e
|
@ -276,7 +276,7 @@ class TopicView
|
||||||
|
|
||||||
def filter_posts_by_ids(post_ids)
|
def filter_posts_by_ids(post_ids)
|
||||||
# TODO: Sort might be off
|
# TODO: Sort might be off
|
||||||
@posts = Post.where(id: post_ids)
|
@posts = Post.where(id: post_ids, topic_id: @topic.id)
|
||||||
.includes(:user)
|
.includes(:user)
|
||||||
.includes(:reply_to_user)
|
.includes(:reply_to_user)
|
||||||
.order('sort_order')
|
.order('sort_order')
|
||||||
|
|
|
@ -221,7 +221,7 @@ describe TopicView do
|
||||||
let!(:p3) { Fabricate(:post, topic: topic, user: first_poster)}
|
let!(:p3) { Fabricate(:post, topic: topic, user: first_poster)}
|
||||||
|
|
||||||
before do
|
before do
|
||||||
SiteSetting.stubs(:posts_per_page).returns(3)
|
SiteSetting.posts_per_page = 3
|
||||||
|
|
||||||
# Update them to the sort order we're checking for
|
# Update them to the sort order we're checking for
|
||||||
[p1, p2, p3, p4, p5, p6].each_with_index do |p, idx|
|
[p1, p2, p3, p4, p5, p6].each_with_index do |p, idx|
|
||||||
|
@ -233,21 +233,33 @@ describe TopicView do
|
||||||
end
|
end
|
||||||
|
|
||||||
describe "contains_gaps?" do
|
describe "contains_gaps?" do
|
||||||
it "does not contain contains_gaps with default filtering" do
|
it "works" do
|
||||||
|
# does not contain contains_gaps with default filtering
|
||||||
topic_view.contains_gaps?.should be_false
|
topic_view.contains_gaps?.should be_false
|
||||||
end
|
# contains contains_gaps when filtered by username" do
|
||||||
|
|
||||||
it "contains contains_gaps when filtered by username" do
|
|
||||||
TopicView.new(topic.id, coding_horror, username_filters: ['eviltrout']).contains_gaps?.should be_true
|
TopicView.new(topic.id, coding_horror, username_filters: ['eviltrout']).contains_gaps?.should be_true
|
||||||
end
|
# contains contains_gaps when filtered by summary
|
||||||
|
|
||||||
it "contains contains_gaps when filtered by summary" do
|
|
||||||
TopicView.new(topic.id, coding_horror, filter: 'summary').contains_gaps?.should be_true
|
TopicView.new(topic.id, coding_horror, filter: 'summary').contains_gaps?.should be_true
|
||||||
end
|
# contains contains_gaps when filtered by best
|
||||||
|
|
||||||
it "contains contains_gaps when filtered by best" do
|
|
||||||
TopicView.new(topic.id, coding_horror, best: 5).contains_gaps?.should be_true
|
TopicView.new(topic.id, coding_horror, best: 5).contains_gaps?.should be_true
|
||||||
end
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
it "#restricts to correct topic" do
|
||||||
|
t2 = Fabricate(:topic)
|
||||||
|
|
||||||
|
category = Fabricate(:category, name: "my test")
|
||||||
|
category.set_permissions(Group[:admins] => :full)
|
||||||
|
category.save
|
||||||
|
|
||||||
|
topic.category_id = category.id
|
||||||
|
topic.save!
|
||||||
|
|
||||||
|
expect{
|
||||||
|
TopicView.new(topic.id, coding_horror).posts.count
|
||||||
|
}.to raise_error(Discourse::InvalidAccess)
|
||||||
|
|
||||||
|
TopicView.new(t2.id, coding_horror, post_ids: [p1.id,p2.id]).posts.count.should == 0
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue