Merge pull request #6388 from pmusaraj/drafts-second-user-test

Add test to ensure a user cannot see drafts stream of another user
2018-09-13 06:53:44 -07:00 · 2018-09-13 06:53:44 -07:00 · 2ae7d3a118
parent f2363650c9 5bdf476de7
commit 2ae7d3a118
3 changed files with 22 additions and 19 deletions
--- a/app/controllers/drafts_controller.rb
+++ b/app/controllers/drafts_controller.rb
@ -10,36 +10,32 @@ class DraftsController < ApplicationController

    user = fetch_user_from_params

+    unless user == current_user
+      raise Discourse::InvalidAccess
+    end
+
    opts = {
      user: user,
      offset: params[:offset],
      limit: params[:limit]
    }

-    help_key = "user_activity.no_drafts"
-
-    if user == current_user
-      stream = Draft.stream(opts)
-      stream.each do |d|
-        parsed_data = JSON.parse(d.data)
-        if parsed_data
-          if parsed_data['reply']
-            d.raw = parsed_data['reply']
-          end
-          if parsed_data['categoryId'].present? && !d.category_id.present?
-            d.category_id = parsed_data['categoryId']
-          end
+    stream = Draft.stream(opts)
+    stream.each do |d|
+      parsed_data = JSON.parse(d.data)
+      if parsed_data
+        if parsed_data['reply']
+          d.raw = parsed_data['reply']
+        end
+        if parsed_data['categoryId'].present? && !d.category_id.present?
+          d.category_id = parsed_data['categoryId']
        end
      end
-
-      help_key += ".self"
-    else
-      help_key += ".others"
    end

    render json: {
      drafts: stream ? serialize_data(stream, DraftSerializer) : [],
-      no_results_help: I18n.t(help_key)
+      no_results_help: I18n.t("user_activity.no_drafts.self")
    }

  end
--- a/config/locales/server.en.yml
+++ b/config/locales/server.en.yml
@ -796,7 +796,6 @@ en:
      others: "No replies."
    no_drafts:
      self: "You have no drafts; begin composing a reply in any topic and it will be auto-saved as a new draft."
-      others: "You do not have permission to see drafts for this user."

  topic_flag_types:
    spam:
--- a/spec/requests/drafts_controller_spec.rb
+++ b/spec/requests/drafts_controller_spec.rb
@ -24,4 +24,12 @@ describe DraftsController do
    parsed = JSON.parse(response.body)
    expect(parsed["drafts"].length).to eq(0)
  end
+
+  it 'does not let a user see drafts stream of another user' do
+    user_b = Fabricate(:user)
+    Draft.set(user_b, 'xxx', 0, '{}')
+    sign_in(Fabricate(:user))
+    get "/drafts.json", params: { username: user_b.username }
+    expect(response.status).to eq(403)
+  end
 end