Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/app/services
History
Martin Brennan 3c5fb871c0 SECURITY: Filter unread bookmark reminders the user cannot see 
There is an edge case where the following occurs:

1. The user sets a bookmark reminder on a post/topic
2. The post/topic is changed to a PM before or after the reminder
   fires, and the notification remains unread by the user
3. The user opens their bookmark reminder notification list
   and they can still see the notification even though they cannot
   access the topic anymore

There is a very low chance for information leaking here, since
the only thing that could be exposed is the topic title if it
changes to something sensitive.

This commit filters the bookmark unread notifications by using
the bookmarkable can_see? methods and also prevents sending
reminder notifications for bookmarks the user can no longer see.
 		2023-11-09 13:39:16 +11:00
..
notifications DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
spam_rule DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
anonymous_shadow_creator.rb DEV: Change anonymous_posting_min_trust_level to a group-based setting (#24072) 2023-10-25 11:45:10 +10:00
badge_granter.rb DEV: Remove `badge_granted_title` column from `user_profiles` (#20476) 2023-03-08 13:37:20 +01:00
base_bookmarkable.rb DEV: Change Bookmarkable registration to DiscoursePluginRegistry (#20556) 2023-03-08 10:39:12 +10:00
category_hashtag_data_source.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
color_scheme_revisor.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
destroy_task.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
email_settings_exception_handler.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
email_settings_validator.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
email_style_updater.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
external_upload_manager.rb DEV: Add S3 upload system specs using minio (#22975) 2023-08-23 11:18:33 +10:00
group_action_logger.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
group_mentions_updater.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
group_message.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
handle_chunk_upload.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
hashtag_autocomplete_service.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
heat_settings_updater.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
inline_uploads.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
notification_emailer.rb DEV: Email notification filter plugin API (#24271) 2023-11-08 10:29:00 -06:00
post_action_notifier.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
post_alerter.rb FIX: Send push notifications for category/tag watching notifications (#24196) 2023-11-01 10:06:33 -05:00
post_bookmarkable.rb SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
post_owner_changer.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
push_notification_pusher.rb FEATURE: Improve push notification message for watching_category_or_tag notifications (#24228) 2023-11-06 10:13:23 -06:00
random_topic_selector.rb DEV: Remove Discourse.redis.delete_prefixed (#22103) 2023-06-16 12:44:35 +10:00
registered_bookmarkable.rb DEV: Change Bookmarkable registration to DiscoursePluginRegistry (#20556) 2023-03-08 10:39:12 +10:00
search_indexer.rb FIX: do not allow title stuffing to dominate search (#21464) 2023-05-10 11:47:58 +10:00
sidebar_section_links_updater.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
sidebar_site_settings_backfiller.rb FIX: Update sidebar to be navigation menu (#22101) 2023-06-15 09:31:28 +10:00
site_settings_task.rb DEV: Add rake command to help detect dead settings (#23300) 2023-08-29 09:42:52 -06:00
staff_action_logger.rb FIX: Keep ReviewableQueuedPosts even with user delete reviewable actions (#22501) 2023-07-18 11:50:31 +00:00
tag_hashtag_data_source.rb DEV: Remove enable_experimental_hashtag_autocomplete logic (#22820) 2023-08-08 11:18:55 +10:00
theme_settings_migrations_runner.rb FEATURE: Theme settings migrations (#24071) 2023-11-02 08:10:15 +03:00
themes_install_task.rb FEATURE: Theme settings migrations (#24071) 2023-11-02 08:10:15 +03:00
topic_bookmarkable.rb SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
topic_status_updater.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
topic_summarization.rb FIX: Everyone should be aware a cached summary is outdated. (#23438) 2023-09-06 12:09:21 -03:00
topic_timestamp_changer.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
tracked_topics_updater.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
trust_level_granter.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_action_manager.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_activator.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_anonymizer.rb FIX: Anonymizing a user clears their user status too (#21673) 2023-05-22 13:18:09 +08:00
user_authenticator.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_destroyer.rb FIX: Delete fast typer reviewable when deleting user (#23162) 2023-08-21 18:03:03 +08:00
user_merger.rb DEV: Remove `badge_granted_title` column from `user_profiles` (#20476) 2023-03-08 13:37:20 +01:00
user_notification_renderer.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_notification_schedule_processor.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_silencer.rb DEV: Enable `unless` cops 2023-02-21 10:30:48 +01:00
user_stat_count_updater.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
user_updater.rb FIX: Seed all categories and tags configured as defaults for nav menu (#22793) 2023-07-27 10:52:33 +08:00
username_changer.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
username_checker_service.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
web_hook_emitter.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
wildcard_domain_checker.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
wildcard_url_checker.rb DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 14:14:59 +00:00
word_watcher.rb FIX: Replace watched words with wildcards (#24279) 2023-11-08 18:51:11 +02:00