DEV: Improve tests coverage when listing private messages. ()

This is in response to the security incident published in
https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv.

The security incident highlighted a gap in our test suite so we're
adding more test cases to ensure that personal and group messages do not
leak between users in the future.
This commit is contained in:
Alan Guo Xiang Tan 2021-09-21 10:39:59 +08:00 committed by GitHub
parent 28be284b27
commit 7a8b5cdd5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 0 deletions
spec/lib/topic_query

View File

@ -5,6 +5,8 @@ require 'rails_helper'
describe TopicQuery::PrivateMessageLists do
fab!(:user) { Fabricate(:user) }
fab!(:user_2) { Fabricate(:user) }
fab!(:user_3) { Fabricate(:user) }
fab!(:user_4) { Fabricate(:user) }
fab!(:group) do
Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
@ -12,6 +14,12 @@ describe TopicQuery::PrivateMessageLists do
end
end
fab!(:group_2) do
Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
g.add(user_4)
end
end
fab!(:group_message) do
create_post(
user: user,
@ -20,6 +28,14 @@ describe TopicQuery::PrivateMessageLists do
).topic
end
fab!(:group_message_2) do
create_post(
user: user_3,
target_group_names: [group_2.name],
archetype: Archetype.private_message
).topic
end
fab!(:private_message) do
create_post(
user: user,
@ -337,4 +353,65 @@ describe TopicQuery::PrivateMessageLists do
.to contain_exactly(pm_2)
end
end
describe '#private_messages_for' do
it 'returns a list of group private messages for a given user' do
expect(
TopicQuery
.new(user, group_name: group.name)
.private_messages_for(user, :group)
).to eq([])
expect(
TopicQuery
.new(user_2, group_name: group.name)
.private_messages_for(user_2, :group)
).to contain_exactly(group_message)
expect(
TopicQuery
.new(user_3, group_name: group_2.name)
.private_messages_for(user_3, :group)
).to eq([])
expect(
TopicQuery
.new(user_4, group_name: group_2.name)
.private_messages_for(user_4, :group)
).to contain_exactly(group_message_2)
end
it 'returns a list of personal private messages for a given user' do
expect(TopicQuery.new(user).private_messages_for(user, :user))
.to contain_exactly(private_message, group_message)
expect(TopicQuery.new(user_2).private_messages_for(user_2, :user))
.to contain_exactly(private_message)
expect(TopicQuery.new(user_3).private_messages_for(user_3, :user))
.to contain_exactly(group_message_2)
expect(TopicQuery.new(user_4).private_messages_for(user_4, :user))
.to eq([])
end
it 'returns a list of all private messages for a given user' do
expect(TopicQuery.new(user).private_messages_for(user, :all))
.to contain_exactly(private_message, group_message)
expect(TopicQuery.new(user_2).private_messages_for(user_2, :all))
.to contain_exactly(private_message, group_message)
expect(TopicQuery.new(user_3).private_messages_for(user_3, :all))
.to contain_exactly(group_message_2)
expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
.to contain_exactly(group_message_2)
group_2.remove(user_4)
expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
.to eq([])
end
end
end