Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: Return 410 Gone for deleted topics you could otherwise see

This commit is contained in:
Kane York 2015-09-18 00:14:10 -07:00
parent 6c6d3a2159
commit c9e4745fe8
5 changed files with 46 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/topics_controller.rb
View File

@ -93,6 +93,11 @@ class TopicsController < ApplicationController
Notification.remove_for(current_user.id, params[:topic_id]) Notification.remove_for(current_user.id, params[:topic_id])
end end
if ex.obj && Topic === ex.obj && guardian.can_see_topic_if_not_deleted?(ex.obj)
rescue_discourse_actions(:not_found, 410)
return
end
raise ex raise ex
end end

8
lib/discourse.rb
View File

@ -43,7 +43,13 @@ module Discourse
class InvalidParameters < StandardError; end class InvalidParameters < StandardError; end
# When they don't have permission to do something # When they don't have permission to do something
class InvalidAccess < StandardError; end class InvalidAccess < StandardError
attr_reader :obj
def initialize(msg=nil, obj=nil)
super(msg)
@obj = obj
end
end
# When something they want is not found # When something they want is not found
class NotFound < StandardError; end class NotFound < StandardError; end

16
lib/guardian/topic_guardian.rb
View File

@ -72,6 +72,22 @@ module TopicGuardian
!topic.read_restricted_category? || can_see_category?(topic.category) !topic.read_restricted_category? || can_see_category?(topic.category)
end end
def can_see_topic_if_not_deleted?(topic)
return false unless topic
# Admins can see everything
return true if is_admin?
# Deleted topics
# return false if topic.deleted_at && !can_see_deleted_topics?
if topic.private_message?
return authenticated? &&
topic.all_allowed_users.where(id: @user.id).exists?
end
# not secure, or I can see it
!topic.read_restricted_category? || can_see_category?(topic.category)
end
def filter_allowed_categories(records) def filter_allowed_categories(records)
unless is_admin? unless is_admin?
allowed_ids = allowed_category_ids allowed_ids = allowed_category_ids

2
lib/topic_view.rb
View File

@ -417,7 +417,7 @@ class TopicView
if @topic.present? && @topic.private_message? && @user.blank? if @topic.present? && @topic.private_message? && @user.blank?
raise Discourse::NotLoggedIn.new raise Discourse::NotLoggedIn.new
end end
guardian.ensure_can_see!(@topic) raise Discourse::InvalidAccess.new("can't see #{@topic}", @topic) unless guardian.can_see?(@topic)
end end

20
spec/controllers/topics_controller_spec.rb
View File

@ -588,6 +588,8 @@ describe TopicsController do
let(:secure_topic) { Fabricate(:topic, category: secure_category) } let(:secure_topic) { Fabricate(:topic, category: secure_category) }
let(:private_topic) { Fabricate(:private_message_topic, user: allowed_user) } let(:private_topic) { Fabricate(:private_message_topic, user: allowed_user) }
let(:deleted_topic) { Fabricate(:deleted_topic) } let(:deleted_topic) { Fabricate(:deleted_topic) }
let(:deleted_secure_topic) { Fabricate(:topic, category: secure_category, deleted_at: 1.day.ago) }
let(:deleted_private_topic) { Fabricate(:private_message_topic, user: allowed_user, deleted_at: 1.day.ago) }
let(:nonexist_topic_id) { Topic.last.id + 10000 } let(:nonexist_topic_id) { Topic.last.id + 10000 }
context 'anonymous' do context 'anonymous' do
@ -595,7 +597,9 @@ describe TopicsController do
:normal_topic => 200, :normal_topic => 200,
:secure_topic => 403, :secure_topic => 403,
:private_topic => 302, :private_topic => 302,
:deleted_topic => 403, :deleted_topic => 410,
:deleted_secure_topic => 403,
:deleted_private_topic => 302,
:nonexist => 404 :nonexist => 404
} }
topics_controller_show_gen_perm_tests(expected, self) topics_controller_show_gen_perm_tests(expected, self)
@ -610,6 +614,8 @@ describe TopicsController do
:secure_topic => 302, :secure_topic => 302,
:private_topic => 302, :private_topic => 302,
:deleted_topic => 302, :deleted_topic => 302,
:deleted_secure_topic => 302,
:deleted_private_topic => 302,
:nonexist => 302 :nonexist => 302
} }
topics_controller_show_gen_perm_tests(expected, self) topics_controller_show_gen_perm_tests(expected, self)
@ -624,7 +630,9 @@ describe TopicsController do
:normal_topic => 200, :normal_topic => 200,
:secure_topic => 403, :secure_topic => 403,
:private_topic => 403, :private_topic => 403,
:deleted_topic => 403, :deleted_topic => 410,
:deleted_secure_topic => 403,
:deleted_private_topic => 403,
:nonexist => 404 :nonexist => 404
} }
topics_controller_show_gen_perm_tests(expected, self) topics_controller_show_gen_perm_tests(expected, self)
@ -639,7 +647,9 @@ describe TopicsController do
:normal_topic => 200, :normal_topic => 200,
:secure_topic => 200, :secure_topic => 200,
:private_topic => 200, :private_topic => 200,
:deleted_topic => 403, :deleted_topic => 410,
:deleted_secure_topic => 410,
:deleted_private_topic => 410,
:nonexist => 404 :nonexist => 404
} }
topics_controller_show_gen_perm_tests(expected, self) topics_controller_show_gen_perm_tests(expected, self)
@ -655,6 +665,8 @@ describe TopicsController do
:secure_topic => 403, :secure_topic => 403,
:private_topic => 403, :private_topic => 403,
:deleted_topic => 200, :deleted_topic => 200,
:deleted_secure_topic => 403,
:deleted_private_topic => 403,
:nonexist => 404 :nonexist => 404
} }
topics_controller_show_gen_perm_tests(expected, self) topics_controller_show_gen_perm_tests(expected, self)
@ -670,6 +682,8 @@ describe TopicsController do
:secure_topic => 200, :secure_topic => 200,
:private_topic => 200, :private_topic => 200,
:deleted_topic => 200, :deleted_topic => 200,
:deleted_secure_topic => 200,
:deleted_private_topic => 200,
:nonexist => 404 :nonexist => 404
} }
topics_controller_show_gen_perm_tests(expected, self) topics_controller_show_gen_perm_tests(expected, self)