SECURITY: ensures mentioned_users is limited
Prior to this fix the number of users rendered by mentioned_users could equal the number of members in a channel which would be slow but could in more extreme case crash the page and/or server.
This commit is contained in:
parent
fe10a3feab
commit
fd4ff92892
|
@ -37,7 +37,7 @@ module Chat
|
||||||
def mentioned_users
|
def mentioned_users
|
||||||
object
|
object
|
||||||
.chat_mentions
|
.chat_mentions
|
||||||
.includes(user: :user_status)
|
.limit(SiteSetting.max_mentions_per_chat_message)
|
||||||
.map(&:user)
|
.map(&:user)
|
||||||
.compact
|
.compact
|
||||||
.sort_by(&:id)
|
.sort_by(&:id)
|
||||||
|
|
|
@ -18,6 +18,7 @@ module Chat
|
||||||
def mentioned_users
|
def mentioned_users
|
||||||
object
|
object
|
||||||
.chat_mentions
|
.chat_mentions
|
||||||
|
.limit(SiteSetting.max_mentions_per_chat_message)
|
||||||
.map(&:user)
|
.map(&:user)
|
||||||
.compact
|
.compact
|
||||||
.sort_by(&:id)
|
.sort_by(&:id)
|
||||||
|
|
|
@ -12,6 +12,15 @@ describe Chat::MessageSerializer do
|
||||||
|
|
||||||
let(:guardian) { Guardian.new(guardian_user) }
|
let(:guardian) { Guardian.new(guardian_user) }
|
||||||
|
|
||||||
|
describe "#mentioned_users" do
|
||||||
|
it "is limited by max_mentions_per_chat_message setting" do
|
||||||
|
Fabricate.times(2, :chat_mention, chat_message: message_1)
|
||||||
|
SiteSetting.max_mentions_per_chat_message = 1
|
||||||
|
|
||||||
|
expect(serializer.as_json[:mentioned_users].length).to eq(1)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
describe "#reactions" do
|
describe "#reactions" do
|
||||||
fab!(:custom_emoji) { CustomEmoji.create!(name: "trout", upload: Fabricate(:upload)) }
|
fab!(:custom_emoji) { CustomEmoji.create!(name: "trout", upload: Fabricate(:upload)) }
|
||||||
fab!(:reaction_1) do
|
fab!(:reaction_1) do
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
# frozen_string_literal: true
|
||||||
|
|
||||||
|
require "rails_helper"
|
||||||
|
|
||||||
|
describe Chat::ThreadOriginalMessageSerializer do
|
||||||
|
subject(:serializer) { described_class.new(message_1, scope: guardian, root: nil) }
|
||||||
|
|
||||||
|
fab!(:message_1) { Fabricate(:chat_message) }
|
||||||
|
fab!(:guardian_user) { Fabricate(:user) }
|
||||||
|
|
||||||
|
let(:guardian) { Guardian.new(guardian_user) }
|
||||||
|
|
||||||
|
describe "#mentioned_users" do
|
||||||
|
it "is limited by max_mentions_per_chat_message setting" do
|
||||||
|
Fabricate.times(2, :chat_mention, chat_message: message_1)
|
||||||
|
SiteSetting.max_mentions_per_chat_message = 1
|
||||||
|
|
||||||
|
expect(serializer.as_json[:mentioned_users].length).to eq(1)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue