mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-13 08:35:53 +08:00
769f438f0d
Two issues fixed: 1. **Group visibility bypass** — the `target_groups` parameter was passed directly to the user resolution query without checking group or member visibility for the acting user. An authenticated chat user could craft an API request with a known private/hidden group name and receive a channel containing that group's members, leaking their identities. Fix: filter `target_groups` through `visible_groups` and `members_visible_groups` scopes before resolving users in both `CreateDirectMessageChannel` and `AddUsersToChannel` services. 2. **Chat-disabled user bypass** — `can_chat?` only checked group membership, not the `chat_enabled` user preference. A chat-disabled user could create or query DM channels between other users via the direct messages API, potentially exposing private `last_message` content. Fix: add `chat_enabled` check to `can_chat?` and add an actor inclusion guard in `fetch_target_users` so the service fails if the acting user gets filtered out of the resolved user set. --- **Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-2m5j-6v2r-cq2h |
||
|---|---|---|
| .. | ||
| controllers/chat | ||
| jobs | ||
| models | ||
| queries/chat | ||
| serializers/chat | ||
| services/chat | ||
| validators/chat | ||
| views | ||
