SECURITY: Remove indication that a group exists if user can't see it.
Minor security fix but we should not leak any hints that a group exists even if a user does not have access to the group.
This commit is contained in:
parent
5ed84d9885
commit
b0f22f2523
|
@ -629,7 +629,7 @@ class GroupsController < ApplicationController
|
|||
def find_group(param_name, ensure_can_see: true)
|
||||
name = params.require(param_name)
|
||||
group = Group.find_by("LOWER(name) = ?", name.downcase)
|
||||
guardian.ensure_can_see!(group) if ensure_can_see
|
||||
raise Discourse::NotFound if ensure_can_see && !guardian.can_see_group?(group)
|
||||
group
|
||||
end
|
||||
|
||||
|
|
|
@ -357,7 +357,7 @@ describe GroupsController do
|
|||
|
||||
get "/groups/#{group.name}.json"
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
it "returns the right response" do
|
||||
|
@ -430,7 +430,7 @@ describe GroupsController do
|
|||
|
||||
get "/groups/#{group.name}/posts.json"
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
it "ensures the group members can be seen" do
|
||||
|
@ -473,7 +473,7 @@ describe GroupsController do
|
|||
|
||||
get "/groups/#{group.name}/members.json"
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
it "ensures the group members can be seen" do
|
||||
|
@ -1888,7 +1888,7 @@ describe GroupsController do
|
|||
|
||||
get "/groups/#{group.name}/permissions.json"
|
||||
|
||||
expect(response.status).to eq(403)
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
describe "with varying category permissions" do
|
||||
|
|
Loading…
Reference in New Issue