From 88a8c02f4c767a30f7fcf9f7c6c8f7a93b115ec0 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 30 Oct 2016 16:20:59 -0500 Subject: [PATCH 1/4] Test /forum_posts doesn't list private forum topics. --- test/factories/forum_topic.rb | 4 +++ .../functional/forum_posts_controller_test.rb | 25 +++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/test/factories/forum_topic.rb b/test/factories/forum_topic.rb index 144ef1941..689679509 100644 --- a/test/factories/forum_topic.rb +++ b/test/factories/forum_topic.rb @@ -4,5 +4,9 @@ FactoryGirl.define do is_sticky false is_locked false category_id 0 + + factory(:mod_up_forum_topic) do + min_level User::Levels::MODERATOR + end end end diff --git a/test/functional/forum_posts_controller_test.rb b/test/functional/forum_posts_controller_test.rb index bbf4b6623..82c8416c8 100644 --- a/test/functional/forum_posts_controller_test.rb +++ b/test/functional/forum_posts_controller_test.rb @@ -36,6 +36,31 @@ class ForumPostsControllerTest < ActionController::TestCase assert_equal(0, assigns(:forum_posts).size) end end + + context "with private topics" do + setup do + @mod_topic = FactoryGirl.create(:mod_up_forum_topic) + @mod_posts = 2.times.map do + FactoryGirl.create(:forum_post, :topic_id => @mod_topic.id) + end + @mod_post_ids = ([@forum_post] + @mod_posts).map(&:id).reverse + end + + should "list only permitted posts for members" do + get :index, {}, { :user_id => @user.id } + + assert_response :success + assert_equal([@forum_post.id], assigns(:forum_posts).map(&:id)) + end + + should "list only permitted posts for mods" do + CurrentUser.user = @mod + get :index, {}, { :user_id => @mod.id } + + assert_response :success + assert_equal(@mod_post_ids, assigns(:forum_posts).map(&:id)) + end + end end context "edit action" do From 4e9f7391e65597e07c5f58d84a67b1b3e2e5c449 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 30 Oct 2016 17:30:31 -0500 Subject: [PATCH 2/4] Test private topics don't bump forum. --- .../forum_topics_controller_test.rb | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/test/functional/forum_topics_controller_test.rb b/test/functional/forum_topics_controller_test.rb index a23192e2a..eb3334757 100644 --- a/test/functional/forum_topics_controller_test.rb +++ b/test/functional/forum_topics_controller_test.rb @@ -25,6 +25,26 @@ class ForumTopicsControllerTest < ActionController::TestCase get :show, {:id => @forum_topic.id} assert_redirected_to forum_topics_path end + + should "not bump the forum for users without access" do + @gold_user = FactoryGirl.create(:gold_user) + CurrentUser.user = @gold_user + + # An open topic should bump... + @open_topic = FactoryGirl.create(:forum_topic) + assert_equal(true, @gold_user.has_forum_been_updated?) + + # Marking it as read should clear it... + CurrentUser.scoped(@gold_user) do + post :mark_all_as_read, {}, {:user_id => @gold_user.id} + end + assert_redirected_to(forum_topics_path) + assert_equal(false, @gold_user.reload.has_forum_been_updated?) + + # Then adding an unread private topic should not bump. + FactoryGirl.create(:forum_post, :topic_id => @forum_topic.id) + assert_equal(false, @gold_user.reload.has_forum_been_updated?) + end end context "show action" do From 5d54ba5096524f134506a67515ae2dfa2b72ad56 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 30 Oct 2016 15:49:01 -0500 Subject: [PATCH 3/4] Fix listing private topics in /forum_posts. Fix an exploit allowing viewing of private topics with http://danbooru.donmai.us/forum_posts --- app/models/forum_post.rb | 6 +++++- app/models/forum_topic.rb | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/app/models/forum_post.rb b/app/models/forum_post.rb index a8a05f3e9..e0a1e65df 100644 --- a/app/models/forum_post.rb +++ b/app/models/forum_post.rb @@ -54,8 +54,12 @@ class ForumPost < ActiveRecord::Base where("forum_posts.is_deleted = false") end + def permitted + joins(:topic).where("min_level <= ?", CurrentUser.level) + end + def search(params) - q = where("true") + q = permitted return q if params.blank? if params[:creator_id].present? diff --git a/app/models/forum_topic.rb b/app/models/forum_topic.rb index 344fe6c66..6c82d9112 100644 --- a/app/models/forum_topic.rb +++ b/app/models/forum_topic.rb @@ -57,8 +57,12 @@ class ForumTopic < ActiveRecord::Base where("is_deleted = false") end + def permitted + where("min_level <= ?", CurrentUser.level) + end + def search(params) - q = where("true") + q = permitted return q if params.blank? if params[:title_matches].present? From 18d2d0b6b81a474424756b60d09e6a24d8b92df9 Mon Sep 17 00:00:00 2001 From: evazion Date: Sun, 30 Oct 2016 16:20:13 -0500 Subject: [PATCH 4/4] Fix private forum topic bumping for users below min level. --- app/models/user.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/app/models/user.rb b/app/models/user.rb index 15be1e2ad..3d5d44875 100644 --- a/app/models/user.rb +++ b/app/models/user.rb @@ -489,7 +489,7 @@ class User < ActiveRecord::Base module ForumMethods def has_forum_been_updated? return false unless is_gold? - max_updated_at = ForumTopic.active.maximum(:updated_at) + max_updated_at = ForumTopic.permitted.active.maximum(:updated_at) return false if max_updated_at.nil? return true if last_forum_read_at.nil? return max_updated_at > last_forum_read_at