Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-08 15:18:58 +08:00
Code Packages Activity Actions
discourse/plugins/discourse-policy/spec/lib
History
Exact
Alan Guo Xiang Tan 451ed6aa98 SECURITY: Validate policy permissions on post save 
The `create_policy_allowed_groups` setting controls who can create
policies, but it only gates the composer UI and the
`post_process_cooked` event handler. It does not prevent unauthorized
users from injecting `[policy]` markup directly into post raw — for
example, by editing a wiki post.

Add `DiscoursePolicy::PostValidator` as an ActiveRecord validation on
`Post`. When policies are added, removed, or modified, both the post
owner and the acting user must belong to `create_policy_allowed_groups`
or the save is rejected. Policies inside blockquotes are ignored.
2026-03-19 15:21:28 +00:00
..
check_policy_spec.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00
post_validator_spec.rb SECURITY: Validate policy permissions on post save 2026-03-19 15:21:28 +00:00
pretty_text_spec.rb DEV: Convert policy_restrict_to_staff_posts to group based access (#36157) 2025-12-02 09:50:18 +08:00