Skip to content

Commit 84ef46a

Browse files
authored
SECURITY: Hide invitees from users who are not allowed to see the event post (#544)
1 parent dfc4fa1 commit 84ef46a

File tree

3 files changed

+28
-1
lines changed

3 files changed

+28
-1
lines changed

Diff for: app/controllers/discourse_post_event/invitees_controller.rb

+1
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,7 @@ module DiscoursePostEvent
44
class InviteesController < DiscoursePostEventController
55
def index
66
event = Event.find(params[:post_id])
7+
guardian.ensure_can_see!(event.post)
78

89
event_invitees = event.invitees
910

Diff for: plugin.rb

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
# name: discourse-calendar
44
# about: Adds the ability to create a dynamic calendar with events in a topic.
55
# meta_topic_id: 97376
6-
# version: 0.3
6+
# version: 0.4
77
# author: Daniel Waterworth, Joffrey Jaffeux
88
# url: https://github.com/discourse/discourse-calendar
99

Diff for: spec/requests/invitees_controller_spec.rb

+26
Original file line numberDiff line numberDiff line change
@@ -15,6 +15,32 @@ module DiscoursePostEvent
1515
let(:post_1) { Fabricate(:post, user: user, topic: topic_1) }
1616

1717
describe "#index" do
18+
context "for a post in a private category" do
19+
let(:outside_user) { Fabricate(:user) }
20+
let(:in_group_user) { Fabricate(:user) }
21+
let(:group) { Fabricate(:group, users: [in_group_user]) }
22+
let(:private_category) { Fabricate(:private_category, group:) }
23+
let(:topic_1) { Fabricate(:topic, user: user, category: private_category) }
24+
let(:post_1) { Fabricate(:post, user: user, topic: topic_1) }
25+
let(:post_event_1) { Fabricate(:event, post: post_1) }
26+
27+
it "forbids non group user from seeing the list of invitees" do
28+
sign_in(outside_user)
29+
30+
get "/discourse-post-event/events/#{post_event_1.id}/invitees.json"
31+
32+
expect(response.status).to eq(403)
33+
end
34+
35+
it "allows group user to see the list of invitees" do
36+
sign_in(in_group_user)
37+
38+
get "/discourse-post-event/events/#{post_event_1.id}/invitees.json"
39+
40+
expect(response.status).to eq(200)
41+
end
42+
end
43+
1844
context "when params are included" do
1945
let(:invitee1) { Fabricate(:user, username: "Francis", name: "Francis") }
2046
let(:invitee2) { Fabricate(:user, username: "Francisco", name: "Francisco") }

0 commit comments

Comments
 (0)