From b25e505fb7ba6911fa8e60b61e02a8ab98f53428 Mon Sep 17 00:00:00 2001
From: Sam Saffron <sam.saffron@gmail.com>
Date: Thu, 28 Jan 2016 11:12:12 +1100
Subject: [PATCH] SECURITY: user summary could show topic links you have no
 permissions to

---
 app/models/user_summary.rb       |  6 ++++--
 spec/models/user_summary_spec.rb | 36 ++++++++++++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 spec/models/user_summary_spec.rb

diff --git a/app/models/user_summary.rb b/app/models/user_summary.rb
index 2525a82b5f3..4be51a45348 100644
--- a/app/models/user_summary.rb
+++ b/app/models/user_summary.rb
@@ -16,6 +16,7 @@ class UserSummary
     Topic
       .secured(@guardian)
       .listable_topics
+      .visible
       .where(user: @user)
       .order('like_count desc, created_at asc')
       .includes(:user, :category)
@@ -25,12 +26,13 @@ class UserSummary
   def replies
     Post
       .secured(@guardian)
+      .includes(:user, {topic: :category})
+      .references(:topic)
+      .merge(Topic.listable_topics.visible.secured(@guardian))
       .where(user: @user)
       .where('post_number > 1')
       .where('topics.archetype <> ?', Archetype.private_message)
       .order('posts.like_count desc, posts.created_at asc')
-      .includes(:user, {topic: :category})
-      .references(:topic)
       .limit(MAX_TOPICS)
   end
 
diff --git a/spec/models/user_summary_spec.rb b/spec/models/user_summary_spec.rb
new file mode 100644
index 00000000000..77e96a496d4
--- /dev/null
+++ b/spec/models/user_summary_spec.rb
@@ -0,0 +1,36 @@
+require 'rails_helper'
+
+describe UserSummary do
+
+  it "produces secure summaries" do
+    topic = create_post.topic
+    user = topic.user
+    _reply = create_post(user: topic.user, topic: topic)
+
+    summary = UserSummary.new(user, Guardian.new)
+
+    expect(summary.topics.length).to eq(1)
+    expect(summary.replies.length).to eq(1)
+
+    topic.update_columns(deleted_at: Time.now)
+
+    expect(summary.topics.length).to eq(0)
+    expect(summary.replies.length).to eq(0)
+
+    topic.update_columns(deleted_at: nil, visible: false)
+
+    expect(summary.topics.length).to eq(0)
+    expect(summary.replies.length).to eq(0)
+
+    category = Fabricate(:category)
+    topic.update_columns(category_id: category.id, deleted_at: nil, visible: true)
+
+    category.set_permissions(staff: :full)
+    category.save
+
+    expect(summary.topics.length).to eq(0)
+    expect(summary.replies.length).to eq(0)
+
+  end
+
+end