FIX: Only users who can see a topic may change keys.

discourse · Dec 4, 2018 · cc7ff49 · cc7ff49 · ZogStriP · Dec 5, 2018
1 parent dc937db
commit cc7ff49
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/plugin.rb b/plugin.rb
@@ -86,18 +86,20 @@ def get_userkeys
       #               This parameter is optional when editing a topic's title.
       def put_topickeys
         topic_id = params.require(:topic_id)
-        title = params[:title]
-        keys = params[:keys]
 
-        if title
-          # Title may be missing when inviting new users into conversation.
-          topic = Topic.find_by(id: topic_id)
+        topic = Topic.find_by(id: topic_id)
+        if !Guardian.new(current_user).can_see_topic?(topic)
+          return render json: failed_json
+        end
+
+        if title = params[:title]
+          # Title may be missing when inviting new users into topic.
           topic.custom_fields["encrypted_title"] = title
           topic.save!
         end
 
-        if keys
-          # Keys may be missing when editing a conversation.
+        if keys = params[:keys]
+          # Keys may be missing when editing a topic.
           users = Hash[User.where(username: keys.keys).map { |u| [u.username, u] }]
           keys.each { |u, k| Store.set("key_#{topic_id}_#{users[u].id}", k) }
         end