FIX: Do not leak information about post revisions. (#6536)

2018-10-31 16:47:00 +02:00 · 2018-10-31 16:47:00 +02:00 · fa0e421af3
parent ff6676094f
commit fa0e421af3
4 changed files with 48 additions and 0 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -355,12 +355,18 @@ class PostsController < ApplicationController
  end

  def revisions
+    post = find_post_from_params
+    raise Discourse::NotFound if post.hidden && !guardian.can_view_hidden_post_revisions?
+
    post_revision = find_post_revision_from_params
    post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
    render_json_dump(post_revision_serializer)
  end

  def latest_revision
+    post = find_post_from_params
+    raise Discourse::NotFound if post.hidden && !guardian.can_view_hidden_post_revisions?
+
    post_revision = find_latest_post_revision_from_params
    post_revision_serializer = PostRevisionSerializer.new(post_revision, scope: guardian, root: false)
    render_json_dump(post_revision_serializer)
--- a/app/serializers/post_serializer.rb
+++ b/app/serializers/post_serializer.rb
@ -346,6 +346,8 @@ class PostSerializer < BasicPostSerializer
  end

  def version
+    return 1 if object.hidden && !scope.can_view_hidden_post_revisions?
+
    scope.is_staff? ? object.version : object.public_version
  end

--- a/spec/requests/posts_controller_spec.rb
+++ b/spec/requests/posts_controller_spec.rb
@ -1173,6 +1173,25 @@ describe PostsController do
      end
    end

+    context "when post is hidden" do
+      before {
+        post.hidden = true
+        post.save
+      }
+
+      it "throws an exception for users" do
+        sign_in(Fabricate(:user))
+        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
+        expect(response.status).to eq(404)
+      end
+
+      it "works for admins" do
+        sign_in(Fabricate(:admin))
+        get "/posts/#{post.id}/revisions/#{post_revision.number}.json"
+        expect(response.status).to eq(200)
+      end
+    end
+
    context "when edit history is visible to everyone" do

      before { SiteSetting.edit_history_visible_to_public = true }
--- a/spec/serializers/post_serializer_spec.rb
+++ b/spec/serializers/post_serializer_spec.rb
@ -121,6 +121,27 @@ describe PostSerializer do
      end
    end

+    context "a hidden revised post" do
+      let(:post) { Fabricate(:post, raw: 'Hello world!', hidden: true) }
+
+      before do
+        SiteSetting.editing_grace_period_max_diff = 1
+
+        revisor = PostRevisor.new(post)
+        revisor.revise!(post.user, raw: 'Hello, everyone!')
+      end
+
+      it "will not leak version to users" do
+        json = PostSerializer.new(post, scope: Guardian.new(user), root: false).as_json
+        expect(json[:version]).to eq(1)
+      end
+
+      it "will show real version to staff" do
+        json = PostSerializer.new(post, scope: Guardian.new(Fabricate(:admin)), root: false).as_json
+        expect(json[:version]).to eq(2)
+      end
+    end
+
    context "a public wiki post" do
      let(:post) { Fabricate.build(:post, raw: raw, user: user, wiki: true) }