Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: only show user suggestions with regular post (#15436)
  • Loading branch information
arpitjalan committed Jan 3, 2022
1 parent 4940332 commit 702685b
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 1 deletion.
2 changes: 1 addition & 1 deletion app/models/user_search.rb
Expand Up @@ -83,7 +83,7 @@ def search_ids
# 2. in topic
if @topic_id
in_topic = filtered_by_term_users
.where('users.id IN (SELECT user_id FROM posts WHERE topic_id = ?)', @topic_id)
.where('users.id IN (SELECT user_id FROM posts WHERE topic_id = ? AND post_type = ?)', @topic_id, Post.types[:regular])

if @searching_user.present?
in_topic = in_topic.where('users.id <> ?', @searching_user.id)
Expand Down
6 changes: 6 additions & 0 deletions spec/models/user_search_spec.rb
Expand Up @@ -114,6 +114,7 @@ def search_for(*args)
fab!(:post5) { Fabricate :post, user: mr_brown, topic: topic3 }
fab!(:post6) { Fabricate :post, user: mr_white, topic: topic }
fab!(:post7) { Fabricate :post, user: staged, topic: topic4 }
fab!(:post8) { Fabricate :post, user: mr_brown, topic: topic2, post_type: Post.types[:whisper] }

before { mr_white.update(suspended_at: 1.day.ago, suspended_till: 1.year.from_now) }

Expand Down Expand Up @@ -170,6 +171,11 @@ def search_for(*args)
expect(results).to eq [mr_b, mr_brown, mr_blue].map(&:username)
end

it "does not reveal whisper users" do
results = search_for("", topic_id: topic2.id)
expect(results).to eq [mr_blue.username]
end

it "only reveals topic participants to people with permission" do
pm_topic = Fabricate(:private_message_post).topic

Expand Down

0 comments on commit 702685b

Please sign in to comment.