FIX: Better param guards for `wiki` and `post_type` posts controller.

2022-01-24 15:56:18 +08:00 · 2022-01-24 15:56:18 +08:00 · 65f46ad4ed
parent 930f51e175
commit 65f46ad4ed
2 changed files with 27 additions and 3 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -546,6 +546,7 @@ class PostsController < ApplicationController

  def wiki
    post = find_post_from_params
+    params.require(:wiki)
    guardian.ensure_can_wiki!(post)

    post.revise(current_user, wiki: params[:wiki])
@ -555,8 +556,10 @@ class PostsController < ApplicationController

  def post_type
    guardian.ensure_can_change_post_type!
-
    post = find_post_from_params
+    params.require(:post_type)
+    raise Discourse::InvalidParameters.new(:post_type) if Post.types[params[:post_type].to_i].blank?
+
    post.revise(current_user, post_type: params[:post_type].to_i)

    render body: nil
--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@ -656,6 +656,14 @@ describe PostsController do

      let!(:post) { post_by_user }

+      it "returns 400 when wiki parameter is not present" do
+        sign_in(admin)
+
+        put "/posts/#{post.id}/wiki.json", params: {}
+
+        expect(response.status).to eq(400)
+      end
+
      it "raises an error if the user doesn't have permission to wiki the post" do
        put "/posts/#{post.id}/wiki.json", params: { wiki: 'true' }
        expect(response).to be_forbidden
@ -706,18 +714,31 @@ describe PostsController do

    describe "when logged in" do
      before do
-        sign_in(user)
+        sign_in(moderator)
      end

      let!(:post) { post_by_user }

      it "raises an error if the user doesn't have permission to change the post type" do
+        sign_in(user)
+
        put "/posts/#{post.id}/post_type.json", params: { post_type: 2 }
        expect(response).to be_forbidden
      end

+      it "returns 400 if post_type parameter is not present" do
+        put "/posts/#{post.id}/post_type.json", params: {}
+
+        expect(response.status).to eq(400)
+      end
+
+      it "returns 400 if post_type parameters is invalid" do
+        put "/posts/#{post.id}/post_type.json", params: { post_type: -1 }
+
+        expect(response.status).to eq(400)
+      end
+
      it "can change the post type" do
-        sign_in(moderator)
        put "/posts/#{post.id}/post_type.json", params: { post_type: 2 }

        post.reload