Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-05 03:41:24 +08:00
Code Packages Activity Actions
discourse/plugins/discourse-policy/app
History
Exact
Alan Guo Xiang Tan dcde9de530 SECURITY: Add authorization to policy add-users-to-group 
- The `add-users-to-group` attribute on a policy automatically enrolls
  users into a group when they accept the policy. No code path verified
  whether the post author could actually manage the target group.
- Add a `Guardian#can_edit_group?` check in the `post_process_cooked`
  handler so the target group ID is only persisted when the post author
  can manage it.
- Add a `Guardian#can_edit_group?` check in
  `PolicyController#ensure_can_accept` so accept/unaccept requests are
  rejected if the post author's permission to manage the target group
  has since been revoked.
2026-03-19 15:21:28 +00:00
..
controllers/discourse_policy SECURITY: Add authorization to policy add-users-to-group 2026-03-19 15:21:28 +00:00
models SECURITY: Add authorization to policy add-users-to-group 2026-03-19 15:21:28 +00:00
views