Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Filter tags in user notifications for visibility (#19239)

This commit is contained in:
Daniel Waterworth 2022-11-29 10:35:41 -06:00 committed by GitHub
parent 0cc6e678bb
commit 84c83e8d4a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
app/mailers/user_notifications.rb
View File

@ -533,11 +533,13 @@ class UserNotifications < ActionMailer::Base
# tag names # tag names
if opts[:show_tags_in_subject] && post.topic_id if opts[:show_tags_in_subject] && post.topic_id
tags =
tags = Tag.joins(:topic_tags) DiscourseTagging
.where("topic_tags.topic_id = ?", post.topic_id) .visible_tags(Guardian.new(user))
.limit(3) .joins(:topic_tags)
.pluck(:name) .where("topic_tags.topic_id = ?", post.topic_id)
.limit(3)
.pluck(:name)
show_tags_in_subject = tags.any? ? tags.join(" ") : nil show_tags_in_subject = tags.any? ? tags.join(" ") : nil
end end

11
spec/mailers/user_notifications_spec.rb
View File

@ -298,7 +298,13 @@ RSpec.describe UserNotifications do
let(:category) { Fabricate(:category, name: 'India') } let(:category) { Fabricate(:category, name: 'India') }
let(:tag1) { Fabricate(:tag, name: 'Taggo') } let(:tag1) { Fabricate(:tag, name: 'Taggo') }
let(:tag2) { Fabricate(:tag, name: 'Taggie') } let(:tag2) { Fabricate(:tag, name: 'Taggie') }
let(:topic) { Fabricate(:topic, category: category, tags: [tag1, tag2], title: "Super cool topic") }
let(:hidden_tag) { Fabricate(:tag, name: "hidden") }
let!(:hidden_tag_group) do
Fabricate(:tag_group, permissions: { "staff" => 1 }, tag_names: [hidden_tag.name])
end
let(:topic) { Fabricate(:topic, category: category, tags: [tag1, tag2, hidden_tag], title: "Super cool topic") }
let(:post) { Fabricate(:post, topic: topic, raw: 'This is My super duper cool topic') } let(:post) { Fabricate(:post, topic: topic, raw: 'This is My super duper cool topic') }
let(:response) { Fabricate(:basic_reply, topic: post.topic, user: response_by_user) } let(:response) { Fabricate(:basic_reply, topic: post.topic, user: response_by_user) }
let(:user) { Fabricate(:user) } let(:user) { Fabricate(:user) }
@ -377,6 +383,9 @@ RSpec.describe UserNotifications do
expect(mail_html.scan(/>Bob Marley/).count).to eq(1) expect(mail_html.scan(/>Bob Marley/).count).to eq(1)
expect(mail_html.scan(/>bobmarley/).count).to eq(0) expect(mail_html.scan(/>bobmarley/).count).to eq(0)
expect(mail.subject.scan(/#{tag1.name}/).count).to eq(1)
expect(mail.subject.scan(/#{hidden_tag.name}/).count).to eq(0)
SiteSetting.prioritize_username_in_ux = true SiteSetting.prioritize_username_in_ux = true
mail = UserNotifications.user_replied( mail = UserNotifications.user_replied(