Skip to content
Permalink
Browse files Browse the repository at this point in the history
SECURITY: Don't leak user of previous whisper post when deleting a to…
…pic.

A topic's last poster can be incorrectly set to a user of a whisper post
if the whisper post is before the last post and the last post is
deleted.
  • Loading branch information
tgxworld committed Jul 23, 2021
1 parent 680024f commit dbdf611
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/post_destroyer.rb
Expand Up @@ -253,6 +253,7 @@ def make_previous_post_the_last_one
.select(:created_at, :user_id, :post_number)
.where("topic_id = ? and id <> ?", @post.topic_id, @post.id)
.where.not(user_id: nil)
.where.not(post_type: Post.types[:whisper])
.order('created_at desc')
.limit(1)
.first
Expand Down
16 changes: 16 additions & 0 deletions spec/components/post_destroyer_spec.rb
Expand Up @@ -603,6 +603,22 @@ def changes_deleted_at_to_nil
end
end

describe "deleting a post directly after a whisper" do
before do
SiteSetting.enable_whispers = true
end

it 'should not set Topic#last_post_user_id to a whisperer' do
post_1 = create_post(topic: post.topic, user: moderator)
whisper_1 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])
whisper_2 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper])

PostDestroyer.new(admin, whisper_2).destroy

expect(post.topic.reload.last_post_user_id).to eq(post_1.user.id)
end
end

context 'deleting the second post in a topic' do

fab!(:user) { Fabricate(:user) }
Expand Down

0 comments on commit dbdf611

Please sign in to comment.