SECURITY: Add permissions to MessageBus in chat

Add spec compact
2023-10-02 17:45:17 -03:00 · 2023-10-02 17:45:17 -03:00 · 6350ba2cb3
parent 9d1726fe2b
commit 6350ba2cb3
2 changed files with 47 additions and 22 deletions
--- a/plugins/chat/app/services/chat/publisher.rb
+++ b/plugins/chat/app/services/chat/publisher.rb
@ -55,6 +55,7 @@ module Chat
                { scope: anonymous_guardian, root: false },
              ).as_json,
          },
+          permissions(chat_channel),
        )
      end

@ -463,8 +464,11 @@ module Chat

    private

-    def self.permissions(chat_channel)
-      { user_ids: chat_channel.allowed_user_ids, group_ids: chat_channel.allowed_group_ids }
+    def self.permissions(channel)
+      {
+        user_ids: channel.allowed_user_ids.presence,
+        group_ids: channel.allowed_group_ids.presence,
+      }.compact
    end

    def self.anonymous_guardian
--- a/plugins/chat/spec/services/chat/publisher_spec.rb
+++ b/plugins/chat/spec/services/chat/publisher_spec.rb
@ -229,6 +229,13 @@ describe Chat::Publisher do
          },
        )
      end
+
+      it "calls MessageBus with the correct permissions" do
+        MessageBus.stubs(:publish)
+        MessageBus.expects(:publish).with("/chat/#{channel.id}", anything, {})
+
+        described_class.publish_new!(channel, message_1, staged_id)
+      end
    end

    context "when the message is a thread reply" do
@ -253,27 +260,41 @@ describe Chat::Publisher do
          expect(messages).not_to be_empty
        end

-        context "if threading_enabled is true for the channel" do
-          before { channel.update!(threading_enabled: true) }
+        it "calls MessageBus with the correct permissions" do
+          MessageBus.stubs(:publish)
+          MessageBus.expects(:publish).with("/chat/#{channel.id}", anything, {})

-          it "does publish to the new_messages_message_bus_channel" do
-            messages =
-              MessageBus.track_publish(
-                described_class.new_messages_message_bus_channel(channel.id),
-              ) { described_class.publish_new!(channel, message_1, staged_id) }
-            expect(messages.first.data).to eq(
-              {
-                type: "thread",
-                channel_id: channel.id,
-                thread_id: thread.id,
-                message:
-                  Chat::MessageSerializer.new(
-                    message_1,
-                    { scope: Guardian.new(nil), root: false },
-                  ).as_json,
-              },
-            )
-          end
+          described_class.publish_new!(channel, message_1, staged_id)
+        end
+      end
+
+      context "if threading_enabled is true for the channel" do
+        before { channel.update!(threading_enabled: true) }
+
+        it "does publish to the new_messages_message_bus_channel" do
+          messages =
+            MessageBus.track_publish(
+              described_class.new_messages_message_bus_channel(channel.id),
+            ) { described_class.publish_new!(channel, message_1, staged_id) }
+          expect(messages.first.data).to eq(
+            {
+              type: "thread",
+              channel_id: channel.id,
+              thread_id: thread.id,
+              message:
+                Chat::MessageSerializer.new(
+                  message_1,
+                  { scope: Guardian.new(nil), root: false },
+                ).as_json,
+            },
+          )
+        end
+
+        it "calls MessageBus with the correct permissions" do
+          MessageBus.stubs(:publish)
+          MessageBus.expects(:publish).with("/chat/#{channel.id}", anything, {})
+
+          described_class.publish_new!(channel, message_1, staged_id)
        end
      end
    end