Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: Improve tests coverage when listing private messages. (#14385) 

This is in response to the security incident published in
https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv.

The security incident highlighted a gap in our test suite so we're
adding more test cases to ensure that personal and group messages do not
leak between users in the future.
This commit is contained in:
Alan Guo Xiang Tan 2021-09-21 10:39:59 +08:00 committed by GitHub
parent 28be284b27
commit 7a8b5cdd5c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 77 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
spec/lib/topic_query/private_message_lists_spec.rb
View File

@ -5,6 +5,8 @@ require 'rails_helper'
describe TopicQuery::PrivateMessageLists do describe TopicQuery::PrivateMessageLists do
fab!(:user) { Fabricate(:user) } fab!(:user) { Fabricate(:user) }
fab!(:user_2) { Fabricate(:user) } fab!(:user_2) { Fabricate(:user) }
fab!(:user_3) { Fabricate(:user) }
fab!(:user_4) { Fabricate(:user) }
fab!(:group) do fab!(:group) do
Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g| Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
@ -12,6 +14,12 @@ describe TopicQuery::PrivateMessageLists do
end end
end end
fab!(:group_2) do
Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
g.add(user_4)
end
end
fab!(:group_message) do fab!(:group_message) do
create_post( create_post(
user: user, user: user,
@ -20,6 +28,14 @@ describe TopicQuery::PrivateMessageLists do
).topic ).topic
end end
fab!(:group_message_2) do
create_post(
user: user_3,
target_group_names: [group_2.name],
archetype: Archetype.private_message
).topic
end
fab!(:private_message) do fab!(:private_message) do
create_post( create_post(
user: user, user: user,
@ -337,4 +353,65 @@ describe TopicQuery::PrivateMessageLists do
.to contain_exactly(pm_2) .to contain_exactly(pm_2)
end end
end end
describe '#private_messages_for' do
it 'returns a list of group private messages for a given user' do
expect(
TopicQuery
.new(user, group_name: group.name)
.private_messages_for(user, :group)
).to eq([])
expect(
TopicQuery
.new(user_2, group_name: group.name)
.private_messages_for(user_2, :group)
).to contain_exactly(group_message)
expect(
TopicQuery
.new(user_3, group_name: group_2.name)
.private_messages_for(user_3, :group)
).to eq([])
expect(
TopicQuery
.new(user_4, group_name: group_2.name)
.private_messages_for(user_4, :group)
).to contain_exactly(group_message_2)
end
it 'returns a list of personal private messages for a given user' do
expect(TopicQuery.new(user).private_messages_for(user, :user))
.to contain_exactly(private_message, group_message)
expect(TopicQuery.new(user_2).private_messages_for(user_2, :user))
.to contain_exactly(private_message)
expect(TopicQuery.new(user_3).private_messages_for(user_3, :user))
.to contain_exactly(group_message_2)
expect(TopicQuery.new(user_4).private_messages_for(user_4, :user))
.to eq([])
end
it 'returns a list of all private messages for a given user' do
expect(TopicQuery.new(user).private_messages_for(user, :all))
.to contain_exactly(private_message, group_message)
expect(TopicQuery.new(user_2).private_messages_for(user_2, :all))
.to contain_exactly(private_message, group_message)
expect(TopicQuery.new(user_3).private_messages_for(user_3, :all))
.to contain_exactly(group_message_2)
expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
.to contain_exactly(group_message_2)
group_2.remove(user_4)
expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
.to eq([])
end
end
end end