mirror of
https://gh.wpcy.net/https://github.com/discourse/discourse.git
synced 2026-05-02 19:44:59 +08:00
250c54e302
Permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn't have access. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page's search box. This fix adds access checks via a new `PermalinkGuardian` module before redirecting or returning target URLs. If the current user cannot see the target resource, a 404 is returned instead. Also fixes `Guardian#can_see_tag?` to properly check hidden tag visibility instead of always returning true. Ref - t/172554
13 lines
525 B
Ruby
13 lines
525 B
Ruby
# frozen_string_literal: true
|
|
|
|
module PermalinkGuardian
|
|
def can_see_permalink_target?(permalink)
|
|
return true if permalink.external?
|
|
return can_see_topic?(permalink.topic) if permalink.topic_id.present?
|
|
return can_see_post?(permalink.post) if permalink.post_id.present?
|
|
return can_see_category?(permalink.category) if permalink.category_id.present?
|
|
return can_see_tag?(permalink.tag) if permalink.tag_id.present?
|
|
return can_see_user?(permalink.user) if permalink.user_id.present?
|
|
false
|
|
end
|
|
end
|
