From 926e45d030d424e9ccccdc95d7f99255f54c00d8 Mon Sep 17 00:00:00 2001 From: Robin Ward Date: Fri, 29 Aug 2014 13:46:50 -0400 Subject: [PATCH] SECURITY: User action route was returning too much data --- app/assets/javascripts/discourse/models/user.js | 7 ++++--- app/controllers/user_actions_controller.rb | 2 +- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/app/assets/javascripts/discourse/models/user.js b/app/assets/javascripts/discourse/models/user.js index 6896cf2dd5e..ee48d7c08c6 100644 --- a/app/assets/javascripts/discourse/models/user.js +++ b/app/assets/javascripts/discourse/models/user.js @@ -256,9 +256,10 @@ Discourse.User = Discourse.Model.extend({ var self = this, stream = this.get('stream'); return Discourse.ajax("/user_actions/" + id + ".json", { cache: 'false' }).then(function(result) { - if (result) { - if ((self.get('stream.filter') || result.action_type) !== result.action_type) return; - var action = Discourse.UserAction.collapseStream([Discourse.UserAction.create(result)]); + if (result && result.user_action) { + var ua = result.user_action; + if ((self.get('stream.filter') || ua.action_type) !== ua.action_type) return; + var action = Discourse.UserAction.collapseStream([Discourse.UserAction.create(ua)]); stream.set('itemsLoaded', stream.get('itemsLoaded') + 1); stream.get('content').insertAt(0, action[0]); } diff --git a/app/controllers/user_actions_controller.rb b/app/controllers/user_actions_controller.rb index bc943dca74f..da2e042d481 100644 --- a/app/controllers/user_actions_controller.rb +++ b/app/controllers/user_actions_controller.rb @@ -22,7 +22,7 @@ class UserActionsController < ApplicationController def show params.require(:id) - render json: UserAction.stream_item(params[:id], guardian) + render_serialized(UserAction.stream_item(params[:id], guardian), UserActionSerializer) end def private_messages