Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Do not reveal post whisperer in personal messages.
Prior to this fix, post whisperer in personal messages are revealed in
the topic's participants list even though non-staff users are unable to
see the whisper.
  • Loading branch information
tgxworld committed Jul 23, 2021
1 parent ae22404 commit 680024f
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 13 deletions.
18 changes: 11 additions & 7 deletions lib/post_creator.rb
Expand Up @@ -458,14 +458,18 @@ def track_latest_on_category

def ensure_in_allowed_users
return unless @topic.private_message? && @topic.id
return if @post.whisper?
return if @topic.topic_allowed_users.exists?(user_id: @user.id)

unless @topic.topic_allowed_users.where(user_id: @user.id).exists?
unless @topic.topic_allowed_groups.where('group_id IN (
SELECT group_id FROM group_users where user_id = ?
)', @user.id).exists?
@topic.topic_allowed_users.create!(user_id: @user.id)
end
end
return if @topic
.topic_allowed_groups
.where(
"group_id IN (SELECT group_id FROM group_users where user_id = ?)",
@user.id
)
.exists?

@topic.topic_allowed_users.create!(user_id: @user.id)
end

def unarchive_message
Expand Down
28 changes: 22 additions & 6 deletions spec/components/post_creator_spec.rb
Expand Up @@ -901,10 +901,10 @@
context 'private message' do
let(:target_user1) { Fabricate(:coding_horror) }
fab!(:target_user2) { Fabricate(:moderator) }
fab!(:unrelated) { Fabricate(:user) }
fab!(:unrelated_user) { Fabricate(:user) }
let(:post) do
PostCreator.create(user, title: 'hi there welcome to my topic',
raw: "this is my awesome message @#{unrelated.username_lower}",
PostCreator.create!(user, title: 'hi there welcome to my topic',
raw: "this is my awesome message @#{unrelated_user.username_lower}",
archetype: Archetype.private_message,
target_usernames: [target_user1.username, target_user2.username].join(','),
category: 1)
Expand All @@ -926,7 +926,7 @@
expect(post.topic.category).to eq(nil)

# does not notify an unrelated user
expect(unrelated.notifications.count).to eq(0)
expect(unrelated_user.notifications.count).to eq(0)
expect(post.topic.subtype).to eq(TopicSubtype.user_to_user)

# PMs do not increase post count or topic count
Expand All @@ -941,7 +941,7 @@

# if an admin replies they should be added to the allowed user list
admin = Fabricate(:admin)
PostCreator.create(admin, raw: 'hi there welcome topic, I am a mod',
PostCreator.create!(admin, raw: 'hi there welcome topic, I am a mod',
topic_id: post.topic_id)

post.topic.reload
Expand All @@ -955,11 +955,27 @@
admin2 = Fabricate(:admin)
group.add(admin2)

PostCreator.create(admin2, raw: 'I am also an admin, and a mod', topic_id: post.topic_id)
PostCreator.create!(admin2, raw: 'I am also an admin, and a mod', topic_id: post.topic_id)

expect(post.topic.topic_allowed_users.where(user_id: admin2.id).count).to eq(0)
end

it 'does not add whisperers to allowed users of the topic' do
SiteSetting.enable_whispers = true
unrelated_user.update!(admin: true)

PostCreator.create!(
unrelated_user,
raw: "This is a whisper that I am testing",
topic_id: post.topic_id,
post_type: Post.types[:whisper]
)

expect(post.topic.topic_allowed_users.map(&:user_id)).to contain_exactly(
target_user1.id, target_user2.id, user.id
)
end

it 'does not increase posts count for small actions' do
topic = Fabricate(:private_message_topic, user: Fabricate(:user))

Expand Down

0 comments on commit 680024f

Please sign in to comment.