Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec
History
Andrei Prigorshnev b609f6c11c
FIX: restrict other user's notification routes (#14442) 
It was possible to see notifications of other users using routes:
- notifications/responses
- notifications/likes-received
- notifications/mentions
- notifications/edits

We weren't showing anything private (like notifications about private messages), only things that're publicly available in other places. But anyway, it feels strange that it's possible to look at notifications of someone else. Additionally, there is a risk that we can unintentionally leak something on these pages in the future.

This commit restricts these routes.
 		2021-09-29 16:24:28 +04:00
..
components PERF: Improve database query perf when loading topics for a category. (#14416) 2021-09-28 10:05:00 +08:00
fabricators DEV: Ignore reminder_type for bookmarks (#14349) 2021-09-16 09:56:54 +10:00
fixtures FIX: Handle forwarded email quotes around Reply-To display name (#14384) 2021-09-20 16:26:18 +10:00
helpers FIX: Offer site_logo_dark_url as an option for dark mode themes (#14361) 2021-09-16 17:47:51 -04:00
import_export FEATURE: Rake task to export groups (#9450) 2020-04-17 14:59:54 -07:00
initializers FEATURE: A low priority filter for the review queue. (#12822) 2021-04-23 15:34:24 -03:00
integration SECURITY: Escape watched word in error message (#14434) 2021-09-24 11:55:15 +03:00
integrity DEV: Fix a flaky Onceoff spec (#13314) 2021-06-07 20:38:31 +02:00
jobs DEV: use upload id to save in theme setting instead of URL. (#14341) 2021-09-16 07:58:53 +05:30
lib PERF: Revert all inboxes from messages route. (#14445) 2021-09-28 11:58:04 +08:00
mailers FIX: add locales for group mention PM variants (#14358) 2021-09-16 23:07:45 +05:30
models FIX: Do not publish post for PM topic tracking if not new for user. (#14469) 2021-09-29 13:54:24 +08:00
multisite FIX: Use random file name for temporary uploads (#14250) 2021-09-06 10:21:20 +10:00
requests FIX: restrict other user's notification routes (#14442) 2021-09-29 16:24:28 +04:00
script/import_scripts DEV: If disabled do not change setting after import (#12142) 2021-02-19 09:33:35 -07:00
serializers FIX: Use unread post excerpt for topic-level bookmark excerpt (#14414) 2021-09-22 12:47:36 +10:00
services FEATURE: Humanize file size error messages (#14398) 2021-09-22 07:59:45 +10:00
support FIX: Make sure reset-new for tracked is not limited by per_page count (#13395) 2021-06-17 08:20:09 +10:00
tasks FIX: remove migrate_from_s3 task that silently corrupts data (#11703) 2021-01-17 22:33:29 +01:00
views/omniauth_callbacks FEATURE: Use full page redirection for all external auth methods (#8092) 2019-10-08 12:10:43 +01:00
rails_helper.rb Revert "DEV: Move rate limiter disable to after :each for tests (#13986)" (#13987) 2021-08-10 14:12:36 +10:00
swagger_helper.rb DEV: Refactor the api docs for the user endpoint (#14377) 2021-09-20 10:04:57 -06:00