discourse

mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-27 13:45:29 +08:00

History

Isaac Janzen 4b9ee0bc05 SECURITY: Enforce edit permissions and audit trail in TriggerPostAction The suspend/silence endpoint accepted an arbitrary post_id with post_action "edit". Because the edit action had no guardian check, a moderator could target any static doc post (ToS, guidelines, privacy policy) — posts moderators are explicitly blocked from editing — even ones unrelated to the user being suspended. Add the missing can_edit_post? guardian check to the edit action, consistent with the existing checks on delete and delete_replies.	2026-03-19 15:21:28 +00:00
..
destroy_and_publish_spec.rb	DEV: add shortcut fab!(:variable, :fabricator) to specs (#33577 )	2025-07-11 11:16:34 -03:00
trigger_post_action_spec.rb	SECURITY: Enforce edit permissions and audit trail in TriggerPostAction	2026-03-19 15:21:28 +00:00

Isaac Janzen 4b9ee0bc05 SECURITY: Enforce edit permissions and audit trail in TriggerPostAction

The suspend/silence endpoint accepted an arbitrary post_id with
post_action "edit". Because the edit action had no guardian check,
a moderator could target any static doc post (ToS, guidelines, privacy
policy) — posts moderators are explicitly blocked from editing — even
ones unrelated to the user being suspended.

Add the missing can_edit_post? guardian check to the edit action,
consistent with the existing checks on delete and delete_replies.

2026-03-19 15:21:28 +00:00

destroy_and_publish_spec.rb

DEV: add shortcut fab!(:variable, :fabricator) to specs (#33577 )

2025-07-11 11:16:34 -03:00

trigger_post_action_spec.rb

SECURITY: Enforce edit permissions and audit trail in TriggerPostAction

2026-03-19 15:21:28 +00:00

菲码源库

快速导航

产品服务

生态伙伴