From 4c8850108a45885b1f9a13185ccb00bf5fd72c74 Mon Sep 17 00:00:00 2001
From: riking <rikingcoding@gmail.com>
Date: Wed, 4 Feb 2015 11:49:05 -0800
Subject: [PATCH] SECURITY: Don't leak topic title in the redirect

---
 app/controllers/posts_controller.rb       |  2 ++
 spec/controllers/posts_controller_spec.rb | 15 +++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/app/controllers/posts_controller.rb b/app/controllers/posts_controller.rb
index 34a5a8c353f..b33655d349e 100644
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@@ -70,6 +70,8 @@ class PostsController < ApplicationController
       user = User.find(params[:user_id].to_i)
       request['u'] = user.username_lower if user
     end
+
+    guardian.ensure_can_see!(post)
     redirect_to post.url
   end
 
diff --git a/spec/controllers/posts_controller_spec.rb b/spec/controllers/posts_controller_spec.rb
index aee2f0a01f2..14210d0a649 100644
--- a/spec/controllers/posts_controller_spec.rb
+++ b/spec/controllers/posts_controller_spec.rb
@@ -821,4 +821,19 @@ describe PostsController do
     end
   end
 
+  describe "short link" do
+    let(:topic) { Fabricate(:topic) }
+    let(:post) { Fabricate(:post, topic: topic) }
+
+    it "redirects to the topic" do
+      xhr :get, :short_link, post_id: post.id
+      response.should be_redirect
+    end
+
+    it "returns a 403 when access is denied" do
+      Guardian.any_instance.stubs(:can_see?).returns(false)
+      xhr :get, :short_link, post_id: post.id
+      response.should be_forbidden
+    end
+  end
 end