From 492cf52bab009edcc7e3ab27438fb48a4a4bd901 Mon Sep 17 00:00:00 2001 From: David Battersby Date: Mon, 14 Oct 2024 17:45:50 +0400 Subject: [PATCH] FIX: trashed channel thread view bug (#29192) When chat channels are deleted, some users may be able to click the thread before it gets removed from the UI. This leads to a 500 error causing log noise. We can use the safe navigational operator to prevent calling chatable when the channel is not found (due to deleted_at constraint in query). --- plugins/chat/lib/chat/guardian_extensions.rb | 2 +- .../requests/chat/api/channel_threads_controller_spec.rb | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/plugins/chat/lib/chat/guardian_extensions.rb b/plugins/chat/lib/chat/guardian_extensions.rb index 760bb6e9217..57952226b5f 100644 --- a/plugins/chat/lib/chat/guardian_extensions.rb +++ b/plugins/chat/lib/chat/guardian_extensions.rb @@ -98,7 +98,7 @@ module Chat end def can_preview_chat_channel?(chat_channel) - return false unless chat_channel.chatable + return false if !chat_channel&.chatable if chat_channel.direct_message_channel? chat_channel.chatable.user_can_access?(@user) diff --git a/plugins/chat/spec/requests/chat/api/channel_threads_controller_spec.rb b/plugins/chat/spec/requests/chat/api/channel_threads_controller_spec.rb index 84c4915bb10..3a0f8a9734d 100644 --- a/plugins/chat/spec/requests/chat/api/channel_threads_controller_spec.rb +++ b/plugins/chat/spec/requests/chat/api/channel_threads_controller_spec.rb @@ -59,6 +59,15 @@ RSpec.describe Chat::Api::ChannelThreadsController do end end + context "when channel was deleted" do + before { thread.channel.trash! } + + it "returns 403" do + get "/chat/api/channels/#{thread.channel_id}/threads/#{thread.id}" + expect(response.status).to eq(403) + end + end + context "when user cannot access the channel" do before do thread.channel.update!(chatable: Fabricate(:private_category, group: Fabricate(:group)))