From 7df4e4afb9afd2dd0c7da2eb7a6ec9365da9c9d5 Mon Sep 17 00:00:00 2001 From: Sam Date: Sun, 13 Oct 2013 09:54:48 +1100 Subject: [PATCH] security fix, anon should not be treated as though they can create anything --- app/models/category.rb | 12 ++++++++++-- spec/models/category_spec.rb | 9 +++++---- 2 files changed, 15 insertions(+), 6 deletions(-) diff --git a/app/models/category.rb b/app/models/category.rb index 27cbe2095ca..2432b3a1c2d 100644 --- a/app/models/category.rb +++ b/app/models/category.rb @@ -50,11 +50,19 @@ class Category < ActiveRecord::Base } scope :topic_create_allowed, ->(guardian) { - scoped_to_permissions(guardian, [:full]) + if guardian.anonymous? + where("1=0") + else + scoped_to_permissions(guardian, [:full]) + end } scope :post_create_allowed, ->(guardian) { - scoped_to_permissions(guardian, [:create_post, :full]) + if guardian.anonymous? + where("1=0") + else + scoped_to_permissions(guardian, [:create_post, :full]) + end } delegate :post_template, to: 'self.class' diff --git a/spec/models/category_spec.rb b/spec/models/category_spec.rb index df4353556f7..75dcb9c4613 100644 --- a/spec/models/category_spec.rb +++ b/spec/models/category_spec.rb @@ -67,14 +67,15 @@ describe Category do can_post_category.save Category.post_create_allowed(guardian).count.should == 3 + + # anonymous has permission to create no topics + guardian = Guardian.new(nil) + Category.post_create_allowed(guardian).count.should == 0 + end end - describe "post_create_allowed" do - - end - describe "security" do let(:category) { Fabricate(:category) } let(:category_2) { Fabricate(:category) }