Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Better param guards for `wiki` and `post_type` posts controller.

This commit is contained in:
Alan Guo Xiang Tan 2022-01-24 15:56:18 +08:00
parent 930f51e175
commit 65f46ad4ed
2 changed files with 27 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/posts_controller.rb
View File

@ -546,6 +546,7 @@ class PostsController < ApplicationController
def wiki def wiki
post = find_post_from_params post = find_post_from_params
params.require(:wiki)
guardian.ensure_can_wiki!(post) guardian.ensure_can_wiki!(post)
post.revise(current_user, wiki: params[:wiki]) post.revise(current_user, wiki: params[:wiki])
@ -555,8 +556,10 @@ class PostsController < ApplicationController
def post_type def post_type
guardian.ensure_can_change_post_type! guardian.ensure_can_change_post_type!
post = find_post_from_params post = find_post_from_params
params.require(:post_type)
raise Discourse::InvalidParameters.new(:post_type) if Post.types[params[:post_type].to_i].blank?
post.revise(current_user, post_type: params[:post_type].to_i) post.revise(current_user, post_type: params[:post_type].to_i)
render body: nil render body: nil

25
spec/requests/posts_controller_spec.rb
View File

@ -656,6 +656,14 @@ describe PostsController do
let!(:post) { post_by_user } let!(:post) { post_by_user }
it "returns 400 when wiki parameter is not present" do
sign_in(admin)
put "/posts/#{post.id}/wiki.json", params: {}
expect(response.status).to eq(400)
end
it "raises an error if the user doesn't have permission to wiki the post" do it "raises an error if the user doesn't have permission to wiki the post" do
put "/posts/#{post.id}/wiki.json", params: { wiki: 'true' } put "/posts/#{post.id}/wiki.json", params: { wiki: 'true' }
expect(response).to be_forbidden expect(response).to be_forbidden
@ -706,18 +714,31 @@ describe PostsController do
describe "when logged in" do describe "when logged in" do
before do before do
sign_in(user) sign_in(moderator)
end end
let!(:post) { post_by_user } let!(:post) { post_by_user }
it "raises an error if the user doesn't have permission to change the post type" do it "raises an error if the user doesn't have permission to change the post type" do
sign_in(user)
put "/posts/#{post.id}/post_type.json", params: { post_type: 2 } put "/posts/#{post.id}/post_type.json", params: { post_type: 2 }
expect(response).to be_forbidden expect(response).to be_forbidden
end end
it "returns 400 if post_type parameter is not present" do
put "/posts/#{post.id}/post_type.json", params: {}
expect(response.status).to eq(400)
end
it "returns 400 if post_type parameters is invalid" do
put "/posts/#{post.id}/post_type.json", params: { post_type: -1 }
expect(response.status).to eq(400)
end
it "can change the post type" do it "can change the post type" do
sign_in(moderator)
put "/posts/#{post.id}/post_type.json", params: { post_type: 2 } put "/posts/#{post.id}/post_type.json", params: { post_type: 2 }
post.reload post.reload