From 7a8b5cdd5c4466c73f77ca30bd28eca90d7ba0c2 Mon Sep 17 00:00:00 2001 From: Alan Guo Xiang Tan Date: Tue, 21 Sep 2021 10:39:59 +0800 Subject: [PATCH] DEV: Improve tests coverage when listing private messages. (#14385) This is in response to the security incident published in https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv. The security incident highlighted a gap in our test suite so we're adding more test cases to ensure that personal and group messages do not leak between users in the future. --- .../topic_query/private_message_lists_spec.rb | 77 +++++++++++++++++++ 1 file changed, 77 insertions(+) diff --git a/spec/lib/topic_query/private_message_lists_spec.rb b/spec/lib/topic_query/private_message_lists_spec.rb index 681a4b887a7..a5108ebf171 100644 --- a/spec/lib/topic_query/private_message_lists_spec.rb +++ b/spec/lib/topic_query/private_message_lists_spec.rb @@ -5,6 +5,8 @@ require 'rails_helper' describe TopicQuery::PrivateMessageLists do fab!(:user) { Fabricate(:user) } fab!(:user_2) { Fabricate(:user) } + fab!(:user_3) { Fabricate(:user) } + fab!(:user_4) { Fabricate(:user) } fab!(:group) do Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g| @@ -12,6 +14,12 @@ describe TopicQuery::PrivateMessageLists do end end + fab!(:group_2) do + Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g| + g.add(user_4) + end + end + fab!(:group_message) do create_post( user: user, @@ -20,6 +28,14 @@ describe TopicQuery::PrivateMessageLists do ).topic end + fab!(:group_message_2) do + create_post( + user: user_3, + target_group_names: [group_2.name], + archetype: Archetype.private_message + ).topic + end + fab!(:private_message) do create_post( user: user, @@ -337,4 +353,65 @@ describe TopicQuery::PrivateMessageLists do .to contain_exactly(pm_2) end end + + describe '#private_messages_for' do + it 'returns a list of group private messages for a given user' do + expect( + TopicQuery + .new(user, group_name: group.name) + .private_messages_for(user, :group) + ).to eq([]) + + expect( + TopicQuery + .new(user_2, group_name: group.name) + .private_messages_for(user_2, :group) + ).to contain_exactly(group_message) + + expect( + TopicQuery + .new(user_3, group_name: group_2.name) + .private_messages_for(user_3, :group) + ).to eq([]) + + expect( + TopicQuery + .new(user_4, group_name: group_2.name) + .private_messages_for(user_4, :group) + ).to contain_exactly(group_message_2) + end + + it 'returns a list of personal private messages for a given user' do + expect(TopicQuery.new(user).private_messages_for(user, :user)) + .to contain_exactly(private_message, group_message) + + expect(TopicQuery.new(user_2).private_messages_for(user_2, :user)) + .to contain_exactly(private_message) + + expect(TopicQuery.new(user_3).private_messages_for(user_3, :user)) + .to contain_exactly(group_message_2) + + expect(TopicQuery.new(user_4).private_messages_for(user_4, :user)) + .to eq([]) + end + + it 'returns a list of all private messages for a given user' do + expect(TopicQuery.new(user).private_messages_for(user, :all)) + .to contain_exactly(private_message, group_message) + + expect(TopicQuery.new(user_2).private_messages_for(user_2, :all)) + .to contain_exactly(private_message, group_message) + + expect(TopicQuery.new(user_3).private_messages_for(user_3, :all)) + .to contain_exactly(group_message_2) + + expect(TopicQuery.new(user_4).private_messages_for(user_4, :all)) + .to contain_exactly(group_message_2) + + group_2.remove(user_4) + + expect(TopicQuery.new(user_4).private_messages_for(user_4, :all)) + .to eq([]) + end + end end