SECURITY: ensure users have permission when moving categories

2025-09-06 09:10:25 +08:00 · 2018-03-02 12:13:04 +11:00 · 2018-03-02 12:13:04 +11:00 · 75172024ca
commit 75172024ca
parent 4a7a371557
9 changed files with 113 additions and 23 deletions
--- a/app/controllers/posts_controller.rb
+++ b/app/controllers/posts_controller.rb
@ -200,6 +200,15 @@ class PostsController < ApplicationController
    if post.is_first_post?
      changes[:title] = params[:title] if params[:title]
      changes[:category_id] = params[:post][:category_id] if params[:post][:category_id]
+
+      if changes[:category_id] && changes[:category_id].to_i != post.topic.category_id.to_i
+        category = Category.find_by(id: changes[:category_id])
+        if category || (changes[:category_id].to_i == 0)
+          guardian.ensure_can_create_topic_on_category!(category)
+        else
+          return render_json_error(I18n.t('category.errors.not_found'))
+        end
+      end
    end

    # We don't need to validate edits to small action posts by staff
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -226,6 +226,15 @@ class TopicsController < ApplicationController
    topic = Topic.find_by(id: params[:topic_id])
    guardian.ensure_can_edit!(topic)

+    if params[:category_id] && (params[:category_id].to_i != topic.category_id.to_i)
+      category = Category.find_by(id: params[:category_id])
+      if category || (params[:category_id].to_i == 0)
+        guardian.ensure_can_create_topic_on_category!(category)
+      else
+        return render_json_error(I18n.t('category.errors.not_found'))
+      end
+    end
+
    changes = {}
    PostRevisor.tracked_topic_fields.each_key do |f|
      changes[f] = params[f] if params.has_key?(f)