SECURITY: user summary could show topic links you have no permissions to

2016-01-28 11:12:12 +11:00 · 2016-01-28 11:12:12 +11:00 · b25e505fb7
parent 6a7bdfecc8
commit b25e505fb7
2 changed files with 40 additions and 2 deletions
--- a/app/models/user_summary.rb
+++ b/app/models/user_summary.rb
@ -16,6 +16,7 @@ class UserSummary
    Topic
      .secured(@guardian)
      .listable_topics
+      .visible
      .where(user: @user)
      .order('like_count desc, created_at asc')
      .includes(:user, :category)
@ -25,12 +26,13 @@ class UserSummary
  def replies
    Post
      .secured(@guardian)
+      .includes(:user, {topic: :category})
+      .references(:topic)
+      .merge(Topic.listable_topics.visible.secured(@guardian))
      .where(user: @user)
      .where('post_number > 1')
      .where('topics.archetype <> ?', Archetype.private_message)
      .order('posts.like_count desc, posts.created_at asc')
-      .includes(:user, {topic: :category})
-      .references(:topic)
      .limit(MAX_TOPICS)
  end

--- a/spec/models/user_summary_spec.rb
+++ b/spec/models/user_summary_spec.rb
@ -0,0 +1,36 @@
+require 'rails_helper'
+
+describe UserSummary do
+
+  it "produces secure summaries" do
+    topic = create_post.topic
+    user = topic.user
+    _reply = create_post(user: topic.user, topic: topic)
+
+    summary = UserSummary.new(user, Guardian.new)
+
+    expect(summary.topics.length).to eq(1)
+    expect(summary.replies.length).to eq(1)
+
+    topic.update_columns(deleted_at: Time.now)
+
+    expect(summary.topics.length).to eq(0)
+    expect(summary.replies.length).to eq(0)
+
+    topic.update_columns(deleted_at: nil, visible: false)
+
+    expect(summary.topics.length).to eq(0)
+    expect(summary.replies.length).to eq(0)
+
+    category = Fabricate(:category)
+    topic.update_columns(category_id: category.id, deleted_at: nil, visible: true)
+
+    category.set_permissions(staff: :full)
+    category.save
+
+    expect(summary.topics.length).to eq(0)
+    expect(summary.replies.length).to eq(0)
+
+  end
+
+end