Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Don't expose user post counts to users who can't see the to…
…pic (#19728)

Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>

Co-authored-by: Daniel Waterworth <me@danielwaterworth.com>
Co-authored-by: Penar Musaraj <pmusaraj@gmail.com>
  • Loading branch information
3 people committed Jan 4, 2023
1 parent c0e2d7b commit cbcf8a0
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 1 deletion.
2 changes: 1 addition & 1 deletion app/controllers/users_controller.rb
Expand Up @@ -72,7 +72,7 @@ def show(for_card: false)
user_serializer = serializer_class.new(@user, scope: guardian, root: 'user')

topic_id = params[:include_post_count_for].to_i
if topic_id != 0
if topic_id != 0 && guardian.can_see?(Topic.find_by_id(topic_id))
user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count }
end
else
Expand Down
9 changes: 9 additions & 0 deletions spec/requests/users_controller_spec.rb
Expand Up @@ -4201,6 +4201,15 @@ def create_and_like_post(likee, liker)
expect(topic_post_count[topic.id.to_s]).to eq(1)
end

it "doesn't include the post count when the signed in user doesn't have access" do
c = Fabricate(:category, read_restricted: true)
topic.update(category_id: c.id)
expect(Guardian.new(user1).can_see?(topic)).to eq(false)
get "/u/#{admin.username}.json", params: { include_post_count_for: topic.id }
topic_post_count = response.parsed_body.dig("user", "topic_post_count")
expect(topic_post_count).to eq(nil)
end

it "includes all post types for staff members" do
SiteSetting.whispers_allowed_groups = "#{Group::AUTO_GROUPS[:staff]}"
sign_in(admin)
Expand Down

0 comments on commit cbcf8a0

Please sign in to comment.