Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/services
History
Martin Brennan 3c5fb871c0 SECURITY: Filter unread bookmark reminders the user cannot see 
There is an edge case where the following occurs:

1. The user sets a bookmark reminder on a post/topic
2. The post/topic is changed to a PM before or after the reminder
   fires, and the notification remains unread by the user
3. The user opens their bookmark reminder notification list
   and they can still see the notification even though they cannot
   access the topic anymore

There is a very low chance for information leaking here, since
the only thing that could be exposed is the topic title if it
changes to something sensitive.

This commit filters the bookmark unread notifications by using
the bookmarkable can_see? methods and also prevents sending
reminder notifications for bookmarks the user can no longer see.
 		2023-11-09 13:39:16 +11:00
..
notifications
spam_rule
anonymous_shadow_creator.rb DEV: Change anonymous_posting_min_trust_level to a group-based setting (#24072) 2023-10-25 11:45:10 +10:00
badge_granter.rb DEV: Remove `badge_granted_title` column from `user_profiles` (#20476) 2023-03-08 13:37:20 +01:00
base_bookmarkable.rb DEV: Change Bookmarkable registration to DiscoursePluginRegistry (#20556) 2023-03-08 10:39:12 +10:00
category_hashtag_data_source.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
color_scheme_revisor.rb
destroy_task.rb
email_settings_exception_handler.rb
email_settings_validator.rb
email_style_updater.rb
external_upload_manager.rb DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
group_action_logger.rb
group_mentions_updater.rb
group_message.rb
handle_chunk_upload.rb
hashtag_autocomplete_service.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
heat_settings_updater.rb
inline_uploads.rb
notification_emailer.rb DEV: Email notification filter plugin API (#24271) 2023-11-08 10:29:00 -06:00
post_action_notifier.rb
post_alerter.rb FIX: Send push notifications for category/tag watching notifications (#24196) 2023-11-01 10:06:33 -05:00
post_bookmarkable.rb SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
post_owner_changer.rb
push_notification_pusher.rb FEATURE: Improve push notification message for watching_category_or_tag notifications (#24228) 2023-11-06 10:13:23 -06:00
random_topic_selector.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
registered_bookmarkable.rb DEV: Change Bookmarkable registration to DiscoursePluginRegistry (#20556) 2023-03-08 10:39:12 +10:00
search_indexer.rb FIX: do not allow title stuffing to dominate search (#21464) 2023-05-10 11:47:58 +10:00
sidebar_section_links_updater.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
sidebar_site_settings_backfiller.rb FIX: Update sidebar to be navigation menu (#22101) 2023-06-15 09:31:28 +10:00
site_settings_task.rb DEV: Add rake command to help detect dead settings (#23300) 2023-08-29 09:42:52 -06:00
staff_action_logger.rb FIX: Keep ReviewableQueuedPosts even with user delete reviewable actions (#22501) 2023-07-18 11:50:31 +00:00
tag_hashtag_data_source.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
theme_settings_migrations_runner.rb FEATURE: Theme settings migrations (#24071) 2023-11-02 08:10:15 +03:00
themes_install_task.rb FEATURE: Theme settings migrations (#24071) 2023-11-02 08:10:15 +03:00
topic_bookmarkable.rb SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
topic_status_updater.rb
topic_summarization.rb FIX: Everyone should be aware a cached summary is outdated. (#23438) 2023-09-06 12:09:21 -03:00
topic_timestamp_changer.rb
tracked_topics_updater.rb
trust_level_granter.rb
user_action_manager.rb
user_activator.rb
user_anonymizer.rb FIX: Anonymizing a user clears their user status too (#21673) 2023-05-22 13:18:09 +08:00
user_authenticator.rb
user_destroyer.rb FIX: Delete fast typer reviewable when deleting user (#23162) 2023-08-21 18:03:03 +08:00
user_merger.rb DEV: Remove `badge_granted_title` column from `user_profiles` (#20476) 2023-03-08 13:37:20 +01:00
user_notification_renderer.rb
user_notification_schedule_processor.rb
user_silencer.rb
user_stat_count_updater.rb
user_updater.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
username_changer.rb
username_checker_service.rb
web_hook_emitter.rb
wildcard_domain_checker.rb
wildcard_url_checker.rb
word_watcher.rb FIX: Replace watched words with wildcards (#24279) 2023-11-08 18:51:11 +02:00