Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Convert send_digest to a post request (#19746)
Co-authored-by: Isaac Janzen <isaac.janzen@discourse.org>
  • Loading branch information
tgxworld and janzenisaac committed Jan 4, 2023
1 parent c201386 commit cf862e7
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 1 deletion.
1 change: 1 addition & 0 deletions app/assets/javascripts/admin/addon/models/email-preview.js
Expand Up @@ -16,6 +16,7 @@ EmailPreview.reopenClass({

sendDigest(username, lastSeenAt, email) {
return ajax("/admin/email/send-digest.json", {
type: "POST",
data: { last_seen_at: lastSeenAt || oneWeekAgo(), username, email },
});
},
Expand Down
2 changes: 1 addition & 1 deletion config/routes.rb
Expand Up @@ -177,7 +177,7 @@ def patch(*) end # Disable PATCH requests
get "/incoming/:id" => "email#incoming"
get "/incoming_from_bounced/:id" => "email#incoming_from_bounced"
get "preview-digest" => "email#preview_digest"
get "send-digest" => "email#send_digest"
post "send-digest" => "email#send_digest"
get "smtp_should_reject"
post "handle_mail"
get "advanced-test"
Expand Down
13 changes: 13 additions & 0 deletions spec/requests/admin/email_controller_spec.rb
Expand Up @@ -337,6 +337,19 @@
end
end

describe '#send_digest' do
context "when logged in as an admin" do
before { sign_in(admin) }

it "sends the digest" do
post "/admin/email/send-digest.json", params: {
last_seen_at: 1.week.ago, username: admin.username, email: email('previous_replies')
}
expect(response.status).to eq(200)
end
end
end

describe '#handle_mail' do
context "when logged in as an admin" do
before { sign_in(admin) }
Expand Down

0 comments on commit cf862e7

Please sign in to comment.