SECURITY: do not send push notifications to suspended users

2017-04-05 08:28:24 -04:00 · 2017-04-05 08:28:24 -04:00 · cd39049262
parent 9065df76ad
commit cd39049262
2 changed files with 21 additions and 1 deletions
--- a/app/services/post_alerter.rb
+++ b/app/services/post_alerter.rb
@ -373,7 +373,7 @@ class PostAlerter
                              post_action_id: opts[:post_action_id],
                              data: notification_data.to_json)

-   if !existing_notification && NOTIFIABLE_TYPES.include?(type)
+   if !existing_notification && NOTIFIABLE_TYPES.include?(type) && !user.suspended?
     # we may have an invalid post somehow, dont blow up
     post_url = original_post.url rescue nil
     if post_url
--- a/spec/services/post_alerter_spec.rb
+++ b/spec/services/post_alerter_spec.rb
@ -328,6 +328,26 @@ describe PostAlerter do
    let(:mention_post) { create_post_with_alerts(user: user, raw: 'Hello @eviltrout :heart:')}
    let(:topic) { mention_post.topic }

+    it "pushes nothing to suspended users" do
+
+      SiteSetting.allowed_user_api_push_urls = "https://site.com/push|https://site2.com/push"
+
+      evil_trout.update_columns(suspended_till: 1.year.from_now)
+
+      2.times do |i|
+        UserApiKey.create!(user_id: evil_trout.id,
+                           client_id: "xxx#{i}",
+                           key: "yyy#{i}",
+                           application_name: "iPhone#{i}",
+                           scopes: ['notifications'],
+                           push_url: "https://site2.com/push")
+      end
+
+      # should only happen once even though we are using 2 keys
+      RestClient.expects(:post).never
+      mention_post
+    end
+
    it "correctly pushes notifications if configured correctly" do
      SiteSetting.allowed_user_api_push_urls = "https://site.com/push|https://site2.com/push"