discourse/plugins
Martin Brennan 3c5fb871c0 SECURITY: Filter unread bookmark reminders the user cannot see
There is an edge case where the following occurs:

1. The user sets a bookmark reminder on a post/topic
2. The post/topic is changed to a PM before or after the reminder
   fires, and the notification remains unread by the user
3. The user opens their bookmark reminder notification list
   and they can still see the notification even though they cannot
   access the topic anymore

There is a very low chance for information leaking here, since
the only thing that could be exposed is the topic title if it
changes to something sensitive.

This commit filters the bookmark unread notifications by using
the bookmarkable can_see? methods and also prevents sending
reminder notifications for bookmarks the user can no longer see.
2023-11-09 13:39:16 +11:00
..
chat SECURITY: Filter unread bookmark reminders the user cannot see 2023-11-09 13:39:16 +11:00
checklist DEV: Rename I18n imports to discourse-i18n (#23915) 2023-10-18 11:07:09 +01:00
discourse-details DEV: remove markdown-it-bundle and custom build code (#23859) 2023-11-06 16:59:49 +00:00
discourse-lazy-videos FIX: Add `rel=0` to youtube lazy videos url (#24173) 2023-10-31 08:04:23 -03:00
discourse-local-dates DEV: Rename I18n imports to discourse-i18n (#23915) 2023-10-18 11:07:09 +01:00
discourse-narrative-bot DEV: Change anonymous_posting_min_trust_level to a group-based setting (#24072) 2023-10-25 11:45:10 +10:00
discourse-presence DEV: Sort imports 2023-10-10 21:46:54 +01:00
footnote Update translations (#24177) 2023-11-07 21:31:20 +01:00
poll DEV: Rename I18n imports to discourse-i18n (#23915) 2023-10-18 11:07:09 +01:00
spoiler-alert Update translations (#24177) 2023-11-07 21:31:20 +01:00
styleguide FEATURE: Add ability to hide modal header (#24290) 2023-11-08 12:15:35 -06:00