jaculabilis/danbooru
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

fix exploit for viewing private dmails

Browse Source
This commit is contained in:
Albert Yi
2016-12-06 14:34:46 -08:00
parent deb62e0cdb
commit 4eb0a64135
2 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
app/controllers/dmails_controller.rb
View File

@@ -5,7 +5,9 @@ class DmailsController < ApplicationController
def new def new
if params[:respond_to_id] if params[:respond_to_id]
@dmail = Dmail.find(params[:respond_to_id]).build_response(:forward => params[:forward]) parent = Dmail.find(params[:respond_to_id])
check_privilege(parent)
@dmail = parent.build_response(:forward => params[:forward])
else else
@dmail = Dmail.new(params[:dmail]) @dmail = Dmail.new(params[:dmail])
end end
@@ -58,6 +60,7 @@ class DmailsController < ApplicationController
end end
private private
def check_privilege(dmail) def check_privilege(dmail)
if !dmail.visible_to?(CurrentUser.user, params[:key]) if !dmail.visible_to?(CurrentUser.user, params[:key])
raise User::PrivilegeError raise User::PrivilegeError

6
test/functional/dmails_controller_test.rb
View File

@@ -22,6 +22,12 @@ class DmailsControllerTest < ActionController::TestCase
end end
context "with a respond_to_id" do context "with a respond_to_id" do
should "check privileges" do
@user2 = FactoryGirl.create(:user)
get :new, {:respond_to_id => @dmail}, {:user_id => @user2.id}
assert_response 403
end
should "prefill the fields" do should "prefill the fields" do
get :new, {:respond_to_id => @dmail}, {:user_id => @user.id} get :new, {:respond_to_id => @dmail}, {:user_id => @user.id}
assert_response :success assert_response :success