return 403 when trying drafts of another user
This commit is contained in:
parent
b8c0a29bec
commit
aa614e393c
|
@ -16,8 +16,6 @@ class DraftsController < ApplicationController
|
|||
limit: params[:limit]
|
||||
}
|
||||
|
||||
help_key = "user_activity.no_drafts"
|
||||
|
||||
if user == current_user
|
||||
stream = Draft.stream(opts)
|
||||
stream.each do |d|
|
||||
|
@ -31,15 +29,13 @@ class DraftsController < ApplicationController
|
|||
end
|
||||
end
|
||||
end
|
||||
|
||||
help_key += ".self"
|
||||
else
|
||||
help_key += ".others"
|
||||
raise Discourse::InvalidAccess
|
||||
end
|
||||
|
||||
render json: {
|
||||
drafts: stream ? serialize_data(stream, DraftSerializer) : [],
|
||||
no_results_help: I18n.t(help_key)
|
||||
no_results_help: I18n.t("user_activity.no_drafts.self")
|
||||
}
|
||||
|
||||
end
|
||||
|
|
|
@ -796,7 +796,6 @@ en:
|
|||
others: "No replies."
|
||||
no_drafts:
|
||||
self: "You have no drafts; begin composing a reply in any topic and it will be auto-saved as a new draft."
|
||||
others: "You do not have permission to see drafts for this user."
|
||||
|
||||
topic_flag_types:
|
||||
spam:
|
||||
|
|
|
@ -1,4 +1,5 @@
|
|||
require 'rails_helper'
|
||||
require 'pp'
|
||||
|
||||
describe DraftsController do
|
||||
it 'requires you to be logged in' do
|
||||
|
@ -28,11 +29,8 @@ describe DraftsController do
|
|||
it 'does not let a user see drafts stream of another user' do
|
||||
user_b = Fabricate(:user)
|
||||
Draft.set(user_b, 'xxx', 0, '{}')
|
||||
|
||||
sign_in(Fabricate(:user))
|
||||
get "/drafts.json", params: { username: user_b.username }
|
||||
expect(response.status).to eq(200)
|
||||
parsed = JSON.parse(response.body)
|
||||
expect(parsed["drafts"].length).to eq(0)
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue