discourse/app/controllers
Alan Guo Xiang Tan 101ec21bc9
SECURITY: Restrict display of topic titles associated with user badges (#18768)
Before this commit, we did not have guardian checks in place to determine if a
topic's title associated with a user badge should be displayed or not.
This means that the topic title of topics with restricted access
could be leaked to anon and users without access if certain conditions
are met. While we will not specify the conditions required, we have internally
assessed that the odds of meeting such conditions are low.

With this commit, we will now apply a guardian check to ensure that the
current user is able to see a topic before the topic's title is included
in the serialized object of a `UserBadge`.
2022-10-27 11:26:14 +08:00
..
admin DEV: Sidebar default tags and categories are determined at user creation (#18620) 2022-10-27 06:38:50 +08:00
users DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
about_controller.rb
application_controller.rb Revert "Revert "FEATURE: Preload resources via link header (#18475)" (#18511)" (#18531) 2022-10-11 20:11:44 -03:00
associated_groups_controller.rb FEATURE: Experimental support for group membership via google auth (#14835) 2021-12-09 12:30:27 +00:00
badges_controller.rb
bookmarks_controller.rb DEV: Add save_user_preferences option to BookmarkManager (#16894) 2022-05-24 11:13:21 +10:00
bootstrap_controller.rb DEV: Load plugin CSS in tests (#18668) 2022-10-19 18:10:06 +01:00
categories_controller.rb FEATURE: Add dark mode option for category logos (#18460) 2022-10-07 11:00:44 -04:00
clicks_controller.rb
composer_messages_controller.rb FEATURE: add composer warning when user haven't been seen in a long time (#18340) 2022-09-27 22:06:40 +05:30
csp_reports_controller.rb FIX: stop logging blank and invalid CSP reports (#17144) 2022-06-20 16:57:46 +10:00
directory_columns_controller.rb DEV: Plugin API to add directory columns (#13440) 2021-06-22 13:00:04 -05:00
directory_items_controller.rb FIX: unable to filter user directory when sorted by user field. (#15951) 2022-02-16 07:57:35 +05:30
do_not_disturb_controller.rb
drafts_controller.rb DEV: do not return no_result_help from the server (#15220) 2021-12-08 21:46:54 +04:00
edit_directory_columns_controller.rb FIX: Always serialize the correct attributes for DirectoryItems (#13510) 2021-06-23 14:55:17 -05:00
email_controller.rb FEATURE: Custom unsubscribe options (#17090) 2022-06-21 15:49:47 -03:00
embed_controller.rb FEATURE: Block indexing the embed topic list (#16495) 2022-04-19 18:24:38 -03:00
exceptions_controller.rb
export_csv_controller.rb
extra_locales_controller.rb
finish_installation_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
forums_controller.rb DEV: New readonly mode. Only applies to non-staff (#16243) 2022-05-17 13:06:08 -05:00
groups_controller.rb FIX: LocalJumpError : unexpected return (#18114) 2022-08-27 18:06:56 +02:00
hashtags_controller.rb FEATURE: Generic hashtag autocomplete part 1 (#18592) 2022-10-19 14:03:57 +10:00
highlight_js_controller.rb DEV: Update highlight.js to version 11 (#18282) 2022-09-20 12:43:28 -03:00
inline_onebox_controller.rb
invites_controller.rb FIX: Correctly pass `invite_to_topic` param to invites (#18229) 2022-09-12 13:16:53 -04:00
list_controller.rb FIX: Users with unicode usernames unable to load more topics in activity (#16627) 2022-05-05 09:48:22 +08:00
metadata_controller.rb FIX: Remove svg icons from webmanifest shortcuts (#15765) 2022-02-01 15:26:58 -03:00
notifications_controller.rb DEV: Include pending reviewables in the main tab in the user menu (#18471) 2022-10-05 12:30:02 +03:00
offline_controller.rb
onebox_controller.rb
permalinks_controller.rb
post_action_users_controller.rb
post_actions_controller.rb
post_readers_controller.rb
posts_controller.rb FIX: Exclude hidden topic posts and small actions from the RSS feed. (#18649) 2022-10-18 15:19:54 -03:00
presence_controller.rb FIX: Ensure presence endpoints don't break the session (#17108) 2022-06-16 14:38:43 +01:00
published_pages_controller.rb DEV: Rename secure_media to secure_uploads (#18376) 2022-09-29 09:24:33 +10:00
push_notification_controller.rb
qunit_controller.rb DEV: Remove ember-cli flags from the backend (#17147) 2022-06-20 16:33:05 +02:00
reviewable_claimed_topics_controller.rb
reviewables_controller.rb DEV: Include pending reviewables in the main tab in the user menu (#18471) 2022-10-05 12:30:02 +03:00
robots_txt_controller.rb DEV: Add plugin API to add to robots.txt (#17378) 2022-07-12 20:52:55 +03:00
safe_mode_controller.rb UX: Improve safe-mode usability (#17929) 2022-08-15 15:15:15 +01:00
search_controller.rb FIX: Limits for PM and group header search (#16887) 2022-05-24 11:31:24 -04:00
session_controller.rb FIX: Allow email login for admins in staff-writes-only-mode (#18443) 2022-09-30 14:12:49 -05:00
similar_topics_controller.rb
site_controller.rb DEV: Include `login_required` attribute in basic info endpoint (#14064) 2021-08-17 14:05:51 -04:00
sitemap_controller.rb FEATURE: Let sites add a sitemap.xml file. (#16357) 2022-04-12 10:33:59 -03:00
static_controller.rb DEV: Ensure service-worker sourcemap logic works with brotli/gzip (#16718) 2022-05-11 13:42:34 +01:00
steps_controller.rb
stylesheets_controller.rb DEV: Fix stylesheet manager flaky spec (#13846) 2021-07-26 14:22:54 +10:00
svg_sprite_controller.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
tag_groups_controller.rb
tags_controller.rb FIX: Allow `match_all_tags` to be passed as a URL param (#17972) 2022-08-19 15:41:56 -04:00
theme_javascripts_controller.rb DEV: Introduce minification and source maps for Theme JS (#18646) 2022-10-18 18:20:10 +01:00
topics_controller.rb FIX: Remove public topic invite functionality (#18488) 2022-10-10 19:21:51 +03:00
uploads_controller.rb DEV: Rename secure_media to secure_uploads (#18376) 2022-09-29 09:24:33 +10:00
user_actions_controller.rb FIX: Sanitize parameters provided to user actions 2022-02-23 15:46:40 +01:00
user_api_keys_controller.rb DEV: Upgrade to Rails 7 2022-04-28 11:51:03 +02:00
user_avatars_controller.rb DEV: allow plugins to override max file size for avatar downloads (#16970) 2022-06-01 17:12:06 -07:00
user_badges_controller.rb SECURITY: Restrict display of topic titles associated with user badges (#18768) 2022-10-27 11:26:14 +08:00
user_status_controller.rb FEATURE: auto remove user status after predefined period (#17236) 2022-07-05 19:12:22 +04:00
users_controller.rb FEATURE: add user status to user preferences (#18532) 2022-10-12 23:35:25 +04:00
users_email_controller.rb DEV: Hash tokens stored from email_tokens (#14493) 2021-11-25 09:34:39 +02:00
webhooks_controller.rb FIX: Accept HEAD requests for mandrill webhook (#17180) 2022-07-29 16:26:31 +10:00
wizard_controller.rb DEV: Make wizard an ember addon (#17027) 2022-06-17 14:50:21 +02:00