From c9e4745fe8081430079c25edbba0b5211dd9a28c Mon Sep 17 00:00:00 2001 From: Kane York Date: Fri, 18 Sep 2015 00:14:10 -0700 Subject: [PATCH] FIX: Return 410 Gone for deleted topics you could otherwise see --- app/controllers/topics_controller.rb | 5 +++++ lib/discourse.rb | 8 +++++++- lib/guardian/topic_guardian.rb | 16 ++++++++++++++++ lib/topic_view.rb | 2 +- spec/controllers/topics_controller_spec.rb | 20 +++++++++++++++++--- 5 files changed, 46 insertions(+), 5 deletions(-) diff --git a/app/controllers/topics_controller.rb b/app/controllers/topics_controller.rb index f728f35c639..7be74273ae1 100644 --- a/app/controllers/topics_controller.rb +++ b/app/controllers/topics_controller.rb @@ -93,6 +93,11 @@ class TopicsController < ApplicationController Notification.remove_for(current_user.id, params[:topic_id]) end + if ex.obj && Topic === ex.obj && guardian.can_see_topic_if_not_deleted?(ex.obj) + rescue_discourse_actions(:not_found, 410) + return + end + raise ex end diff --git a/lib/discourse.rb b/lib/discourse.rb index 82b1280eed2..1acf9abb6ac 100644 --- a/lib/discourse.rb +++ b/lib/discourse.rb @@ -43,7 +43,13 @@ module Discourse class InvalidParameters < StandardError; end # When they don't have permission to do something - class InvalidAccess < StandardError; end + class InvalidAccess < StandardError + attr_reader :obj + def initialize(msg=nil, obj=nil) + super(msg) + @obj = obj + end + end # When something they want is not found class NotFound < StandardError; end diff --git a/lib/guardian/topic_guardian.rb b/lib/guardian/topic_guardian.rb index 8c03cc3e382..cb5cc6d7239 100644 --- a/lib/guardian/topic_guardian.rb +++ b/lib/guardian/topic_guardian.rb @@ -72,6 +72,22 @@ module TopicGuardian !topic.read_restricted_category? || can_see_category?(topic.category) end + def can_see_topic_if_not_deleted?(topic) + return false unless topic + # Admins can see everything + return true if is_admin? + # Deleted topics + # return false if topic.deleted_at && !can_see_deleted_topics? + + if topic.private_message? + return authenticated? && + topic.all_allowed_users.where(id: @user.id).exists? + end + + # not secure, or I can see it + !topic.read_restricted_category? || can_see_category?(topic.category) + end + def filter_allowed_categories(records) unless is_admin? allowed_ids = allowed_category_ids diff --git a/lib/topic_view.rb b/lib/topic_view.rb index 52222a6d3fc..23a458991b1 100644 --- a/lib/topic_view.rb +++ b/lib/topic_view.rb @@ -417,7 +417,7 @@ class TopicView if @topic.present? && @topic.private_message? && @user.blank? raise Discourse::NotLoggedIn.new end - guardian.ensure_can_see!(@topic) + raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless guardian.can_see?(@topic) end diff --git a/spec/controllers/topics_controller_spec.rb b/spec/controllers/topics_controller_spec.rb index 35640b6311d..0100315a208 100644 --- a/spec/controllers/topics_controller_spec.rb +++ b/spec/controllers/topics_controller_spec.rb @@ -588,6 +588,8 @@ describe TopicsController do let(:secure_topic) { Fabricate(:topic, category: secure_category) } let(:private_topic) { Fabricate(:private_message_topic, user: allowed_user) } let(:deleted_topic) { Fabricate(:deleted_topic) } + let(:deleted_secure_topic) { Fabricate(:topic, category: secure_category, deleted_at: 1.day.ago) } + let(:deleted_private_topic) { Fabricate(:private_message_topic, user: allowed_user, deleted_at: 1.day.ago) } let(:nonexist_topic_id) { Topic.last.id + 10000 } context 'anonymous' do @@ -595,7 +597,9 @@ describe TopicsController do :normal_topic => 200, :secure_topic => 403, :private_topic => 302, - :deleted_topic => 403, + :deleted_topic => 410, + :deleted_secure_topic => 403, + :deleted_private_topic => 302, :nonexist => 404 } topics_controller_show_gen_perm_tests(expected, self) @@ -610,6 +614,8 @@ describe TopicsController do :secure_topic => 302, :private_topic => 302, :deleted_topic => 302, + :deleted_secure_topic => 302, + :deleted_private_topic => 302, :nonexist => 302 } topics_controller_show_gen_perm_tests(expected, self) @@ -624,7 +630,9 @@ describe TopicsController do :normal_topic => 200, :secure_topic => 403, :private_topic => 403, - :deleted_topic => 403, + :deleted_topic => 410, + :deleted_secure_topic => 403, + :deleted_private_topic => 403, :nonexist => 404 } topics_controller_show_gen_perm_tests(expected, self) @@ -639,7 +647,9 @@ describe TopicsController do :normal_topic => 200, :secure_topic => 200, :private_topic => 200, - :deleted_topic => 403, + :deleted_topic => 410, + :deleted_secure_topic => 410, + :deleted_private_topic => 410, :nonexist => 404 } topics_controller_show_gen_perm_tests(expected, self) @@ -655,6 +665,8 @@ describe TopicsController do :secure_topic => 403, :private_topic => 403, :deleted_topic => 200, + :deleted_secure_topic => 403, + :deleted_private_topic => 403, :nonexist => 404 } topics_controller_show_gen_perm_tests(expected, self) @@ -670,6 +682,8 @@ describe TopicsController do :secure_topic => 200, :private_topic => 200, :deleted_topic => 200, + :deleted_secure_topic => 200, + :deleted_private_topic => 200, :nonexist => 404 } topics_controller_show_gen_perm_tests(expected, self)