DEV: Improve tests coverage when listing private messages. (#14385)
This is in response to the security incident published in https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv. The security incident highlighted a gap in our test suite so we're adding more test cases to ensure that personal and group messages do not leak between users in the future.
This commit is contained in:
parent
28be284b27
commit
7a8b5cdd5c
spec/lib/topic_query
|
@ -5,6 +5,8 @@ require 'rails_helper'
|
|||
describe TopicQuery::PrivateMessageLists do
|
||||
fab!(:user) { Fabricate(:user) }
|
||||
fab!(:user_2) { Fabricate(:user) }
|
||||
fab!(:user_3) { Fabricate(:user) }
|
||||
fab!(:user_4) { Fabricate(:user) }
|
||||
|
||||
fab!(:group) do
|
||||
Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
|
||||
|
@ -12,6 +14,12 @@ describe TopicQuery::PrivateMessageLists do
|
|||
end
|
||||
end
|
||||
|
||||
fab!(:group_2) do
|
||||
Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
|
||||
g.add(user_4)
|
||||
end
|
||||
end
|
||||
|
||||
fab!(:group_message) do
|
||||
create_post(
|
||||
user: user,
|
||||
|
@ -20,6 +28,14 @@ describe TopicQuery::PrivateMessageLists do
|
|||
).topic
|
||||
end
|
||||
|
||||
fab!(:group_message_2) do
|
||||
create_post(
|
||||
user: user_3,
|
||||
target_group_names: [group_2.name],
|
||||
archetype: Archetype.private_message
|
||||
).topic
|
||||
end
|
||||
|
||||
fab!(:private_message) do
|
||||
create_post(
|
||||
user: user,
|
||||
|
@ -337,4 +353,65 @@ describe TopicQuery::PrivateMessageLists do
|
|||
.to contain_exactly(pm_2)
|
||||
end
|
||||
end
|
||||
|
||||
describe '#private_messages_for' do
|
||||
it 'returns a list of group private messages for a given user' do
|
||||
expect(
|
||||
TopicQuery
|
||||
.new(user, group_name: group.name)
|
||||
.private_messages_for(user, :group)
|
||||
).to eq([])
|
||||
|
||||
expect(
|
||||
TopicQuery
|
||||
.new(user_2, group_name: group.name)
|
||||
.private_messages_for(user_2, :group)
|
||||
).to contain_exactly(group_message)
|
||||
|
||||
expect(
|
||||
TopicQuery
|
||||
.new(user_3, group_name: group_2.name)
|
||||
.private_messages_for(user_3, :group)
|
||||
).to eq([])
|
||||
|
||||
expect(
|
||||
TopicQuery
|
||||
.new(user_4, group_name: group_2.name)
|
||||
.private_messages_for(user_4, :group)
|
||||
).to contain_exactly(group_message_2)
|
||||
end
|
||||
|
||||
it 'returns a list of personal private messages for a given user' do
|
||||
expect(TopicQuery.new(user).private_messages_for(user, :user))
|
||||
.to contain_exactly(private_message, group_message)
|
||||
|
||||
expect(TopicQuery.new(user_2).private_messages_for(user_2, :user))
|
||||
.to contain_exactly(private_message)
|
||||
|
||||
expect(TopicQuery.new(user_3).private_messages_for(user_3, :user))
|
||||
.to contain_exactly(group_message_2)
|
||||
|
||||
expect(TopicQuery.new(user_4).private_messages_for(user_4, :user))
|
||||
.to eq([])
|
||||
end
|
||||
|
||||
it 'returns a list of all private messages for a given user' do
|
||||
expect(TopicQuery.new(user).private_messages_for(user, :all))
|
||||
.to contain_exactly(private_message, group_message)
|
||||
|
||||
expect(TopicQuery.new(user_2).private_messages_for(user_2, :all))
|
||||
.to contain_exactly(private_message, group_message)
|
||||
|
||||
expect(TopicQuery.new(user_3).private_messages_for(user_3, :all))
|
||||
.to contain_exactly(group_message_2)
|
||||
|
||||
expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
|
||||
.to contain_exactly(group_message_2)
|
||||
|
||||
group_2.remove(user_4)
|
||||
|
||||
expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
|
||||
.to eq([])
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue