Merge pull request #3169 from riking/patch-3

SECURITY: Don't leak topic title in the redirect
2025-02-16 16:24:55 +00:00 · 2015-02-05 12:47:58 +01:00 · 2015-02-05 12:47:58 +01:00 · f1403206ca
commit f1403206ca
parent 48de485f72 4c8850108a
2 changed files with 17 additions and 0 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -70,6 +70,8 @@ class PostsController < ApplicationController
      user = User.find(params[:user_id].to_i)
      request['u'] = user.username_lower if user
    end
+
+    guardian.ensure_can_see!(post)
    redirect_to post.url
  end

--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@ -821,4 +821,19 @@ describe PostsController do
    end
  end

+  describe "short link" do
+    let(:topic) { Fabricate(:topic) }
+    let(:post) { Fabricate(:post, topic: topic) }
+
+    it "redirects to the topic" do
+      xhr :get, :short_link, post_id: post.id
+      response.should be_redirect
+    end
+
+    it "returns a 403 when access is denied" do
+      Guardian.any_instance.stubs(:can_see?).returns(false)
+      xhr :get, :short_link, post_id: post.id
+      response.should be_forbidden
+    end
+  end
 end