SECURITY: banner-info (#17071)

This commit is contained in:
Blake Erickson 2022-06-13 11:10:21 -06:00 committed by GitHub
parent 6650218e3d
commit ae6a907943
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 0 deletions

View File

@ -676,6 +676,7 @@ class ApplicationController < ActionController::Base
def banner_json
json = ApplicationController.banner_json_cache["json"]
return "{}" if !current_user && SiteSetting.login_required?
unless json
topic = Topic.where(archetype: Archetype.banner).first

View File

@ -1002,4 +1002,53 @@ RSpec.describe ApplicationController do
expect(response.status).to eq(200)
end
end
describe "#banner_json" do
let(:admin) { Fabricate(:admin) }
let(:user) { Fabricate(:user) }
fab!(:banner_topic) { Fabricate(:banner_topic) }
fab!(:p1) { Fabricate(:post, topic: banner_topic, raw: "A banner topic") }
before do
admin # to skip welcome wizard at home page `/`
end
context "login_required" do
before do
SiteSetting.login_required = true
end
it "does not include banner info for anonymous users" do
get "/login"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute('data-preloaded').value)
expect(json['banner']).to eq("{}")
end
end
it "includes banner info for logged-in users" do
sign_in(user)
get "/"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute('data-preloaded').value)
expect(JSON.parse(json['banner'])["html"]).to eq("<p>A banner topic</p>")
end
end
end
context "login not required" do
before do
SiteSetting.login_required = false
end
it "does include banner info for anonymous users" do
get "/login"
expect(response.body).to have_tag("div#data-preloaded") do |element|
json = JSON.parse(element.current_scope.attribute('data-preloaded').value)
expect(JSON.parse(json['banner'])["html"]).to eq("<p>A banner topic</p>")
end
end
end
end
end