discourse

mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-06-19 03:05:45 +08:00

History

Isaac Janzen e1bb146a1f SECURITY: Scope sentiment posts endpoint to allowed categories Sentiment posts endpoint was not filtering by category permissions, allowing staff users to retrieve posts from categories they lack access to. - Add `guardian.allowed_category_ids` filter to SQL query - Add tests covering both `group_by: category` and `group_by: tag` paths --- Security Advisory: https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg	2026-03-31 15:12:45 +01:00
..
sentiment_controller_spec.rb	SECURITY: Scope sentiment posts endpoint to allowed categories	2026-03-31 15:12:45 +01:00

Isaac Janzen e1bb146a1f SECURITY: Scope sentiment posts endpoint to allowed categories

Sentiment posts endpoint was not filtering by category permissions, allowing staff users to retrieve posts from categories they lack access to.

- Add `guardian.allowed_category_ids` filter to SQL query
- Add tests covering both `group_by: category` and `group_by: tag` paths

---

**Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-vj5f-gg8m-93xg

2026-03-31 15:12:45 +01:00

sentiment_controller_spec.rb

SECURITY: Scope sentiment posts endpoint to allowed categories

2026-03-31 15:12:45 +01:00

菲码源库

快速导航

产品服务

生态伙伴