security issue, anon and logged in users could see the fact that a user sent another user a pm (but could not see the pm itself or title)

2013-10-03 16:48:03 -07:00 · 2013-10-03 16:48:03 -07:00 · ad93fc959c
parent baa2ab8604
commit ad93fc959c
3 changed files with 43 additions and 2 deletions
--- a/app/models/post_action_type.rb
+++ b/app/models/post_action_type.rb
@ -15,6 +15,10 @@ class PostActionType < ActiveRecord::Base
      @auto_action_flag_types ||= flag_types.except(:notify_user, :notify_moderators)
    end

+    def public_types
+      @public_types ||= types.except(*flag_types.keys << :notify_user)
+    end
+
    def flag_types
      @flag_types ||= types.only(:off_topic, :spam, :inappropriate, :notify_moderators)
    end
--- a/app/serializers/post_serializer.rb
+++ b/app/serializers/post_serializer.rb
@ -7,6 +7,7 @@ class PostSerializer < BasicPostSerializer
  attr_accessor :add_raw
  attr_accessor :single_post_link_counts
  attr_accessor :draft_sequence
+  attr_accessor :post_actions

  attributes :post_number,
             :post_type,
@ -152,8 +153,8 @@ class PostSerializer < BasicPostSerializer
        action_summary[:can_undo] = scope.can_delete?(post_actions[id])
      end

-      # anonymize flags
-      if !scope.is_staff? && PostActionType.flag_types.values.include?(id)
+      # only show public data
+      unless scope.is_staff? || PostActionType.public_types.values.include?(id)
        action_summary[:count] = action_summary[:acted] ? 1 : 0
      end

--- a/spec/serializers/post_serializer_spec.rb
+++ b/spec/serializers/post_serializer_spec.rb
@ -1,7 +1,43 @@
 require 'spec_helper'
+require_dependency 'post_action'

 describe PostSerializer do

+  context "a post with lots of actions" do
+    let(:post){Fabricate(:post)}
+    let(:actor){Fabricate(:user)}
+    let(:admin){Fabricate(:admin)}
+    let(:acted_ids){
+      PostActionType.public_types.values
+        .concat([:notify_user,:spam]
+        .map{|k| PostActionType.types[k]})
+    }
+
+    def visible_actions_for(user)
+      serializer = PostSerializer.new(post, scope: Guardian.new(user), root: false)
+      # NOTE this is messy, we should extract all this logic elsewhere
+      serializer.post_actions = PostAction.counts_for([post], actor)[post.id] if user.try(:id) == actor.id
+      actions = serializer.as_json[:actions_summary]
+      lookup = PostActionType.types.invert
+      actions.keep_if{|a| a[:count] > 0}.map{|a| lookup[a[:id]]}
+    end
+
+    before do
+      acted_ids.each do|id|
+        PostAction.act(actor, post, id)
+      end
+      post.reload
+    end
+
+    it "displays the correct info" do
+      visible_actions_for(actor).sort.should == [:like,:notify_user,:spam,:vote]
+      visible_actions_for(post.user).sort.should == [:like,:vote]
+      visible_actions_for(nil).sort.should == [:like,:vote]
+      visible_actions_for(admin).sort.should == [:like,:notify_user,:spam,:vote]
+    end
+
+  end
+
  context "a post by a nuked user" do
    let!(:post) { Fabricate(:post, user: Fabricate(:user), deleted_at: Time.zone.now) }