Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-07 21:38:22 +08:00
Code Packages Activity Actions
discourse/plugins/poll/spec
History
Exact
Isaac Janzen d74ff25db9 SECURITY: Check topic visibility before allowing poll interactions 
## Summary

- Adds a `guardian.can_see_topic?` check in `DiscoursePoll::Poll` to prevent users from interacting with polls on topics they can no longer access
- Covers the case where a user loses group membership for a private category but could still toggle poll status via the API
- Adds integration test verifying poll toggle is blocked after group removal

---

**Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-wq58-pvf6-w4p8
2026-03-31 15:12:45 +01:00
..
controllers SECURITY: Fix poll post_id array authorization bypass 2026-03-19 15:21:28 +00:00
fabricators FEATURE: Add Ranked Choice Voting 2024-07-17 11:49:14 +02:00
integration SECURITY: Check topic visibility before allowing poll interactions 2026-03-31 15:12:45 +01:00
jobs/regular DEV: Remove unnecessary rails_helper requiring (#26364) 2024-03-26 11:32:01 +01:00
lib FIX: Include poll options in HTML email notifications (#37812) 2026-02-17 11:39:42 +01:00
models FIX: match ActiveRecord#reload signature in overrides (#38639) 2026-03-17 09:10:34 +11:00
requests DEV: Update rubocop-discourse (#30552) 2025-01-04 13:48:21 +01:00
serializers DEV: Apply syntax_tree formatting to plugins/* 2023-01-07 11:11:37 +00:00
system DEV: Update rubocop (#38721) 2026-03-20 00:39:52 +01:00