SECURITY: Hide invitees from users who are not allowed to see the eve…

…nt post (#544)
discourse · Feb 22, 2024 · 84ef46a · 84ef46a
1 parent dfc4fa1
commit 84ef46a
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 1 deletion.
diff --git a/app/controllers/discourse_post_event/invitees_controller.rb b/app/controllers/discourse_post_event/invitees_controller.rb
@@ -4,6 +4,7 @@ module DiscoursePostEvent
   class InviteesController < DiscoursePostEventController
     def index
       event = Event.find(params[:post_id])
+      guardian.ensure_can_see!(event.post)
 
       event_invitees = event.invitees
 

diff --git a/plugin.rb b/plugin.rb
@@ -3,7 +3,7 @@
 # name: discourse-calendar
 # about: Adds the ability to create a dynamic calendar with events in a topic.
 # meta_topic_id: 97376
-# version: 0.3
+# version: 0.4
 # author: Daniel Waterworth, Joffrey Jaffeux
 # url: https://github.com/discourse/discourse-calendar
 

diff --git a/spec/requests/invitees_controller_spec.rb b/spec/requests/invitees_controller_spec.rb
@@ -15,6 +15,32 @@ module DiscoursePostEvent
     let(:post_1) { Fabricate(:post, user: user, topic: topic_1) }
 
     describe "#index" do
+      context "for a post in a private category" do
+        let(:outside_user) { Fabricate(:user) }
+        let(:in_group_user) { Fabricate(:user) }
+        let(:group) { Fabricate(:group, users: [in_group_user]) }
+        let(:private_category) { Fabricate(:private_category, group:) }
+        let(:topic_1) { Fabricate(:topic, user: user, category: private_category) }
+        let(:post_1) { Fabricate(:post, user: user, topic: topic_1) }
+        let(:post_event_1) { Fabricate(:event, post: post_1) }
+
+        it "forbids non group user from seeing the list of invitees" do
+          sign_in(outside_user)
+
+          get "/discourse-post-event/events/#{post_event_1.id}/invitees.json"
+
+          expect(response.status).to eq(403)
+        end
+
+        it "allows group user to see the list of invitees" do
+          sign_in(in_group_user)
+
+          get "/discourse-post-event/events/#{post_event_1.id}/invitees.json"
+
+          expect(response.status).to eq(200)
+        end
+      end
+
       context "when params are included" do
         let(:invitee1) { Fabricate(:user, username: "Francis", name: "Francis") }
         let(:invitee2) { Fabricate(:user, username: "Francisco", name: "Francisco") }