Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-01 14:54:42 +08:00
Code Packages Activity Actions
discourse/spec/requests/post_action_users_controller_spec.rb
Alan Guo Xiang Tan 8817a6d34b SECURITY: hide total_rows for restricted post action types 
What is the problem?

- `PostActionUsersController#index` serves the list of users who
  performed a given post action, along with a
  `total_rows_post_action_users` count used for pagination.
- For restricted action types (flags, bookmarks, notify_user),
  `Guardian#can_see_post_actors?` correctly filters the user list to
  only the current user's own action.
- However, `total_rows_post_action_users` — read from the
  denormalized column on the post — was always included when the
  count exceeded the page size, regardless of permissions.
- A crafted request with a small `limit` param could cause
  `total_rows_post_action_users` to appear in the response, revealing
  how many total actions of that type exist on the post.

What is the solution?

- Only include `total_rows_post_action_users` in the response when
  the user can see post actors. The `idx_unique_actions` index
  enforces uniqueness on `(user_id, post_action_type_id, post_id,
  targets_topic)`, so a restricted user can have at most 2 actions
  per type per post — pagination is never needed for them.
- The public action types path (likes) is unchanged.
2026-03-19 15:21:28 +00:00

246 lines
7.8 KiB
Ruby
Raw Permalink Blame History

# frozen_string_literal: true
RSpec.describe PostActionUsersController do
fab!(:user) { Fabricate(:user, refresh_auto_groups: true) }
let(:post) { Fabricate(:post, user: sign_in(user)) }
describe "#index" do
describe "when limit params is invalid" do
include_examples "invalid limit params",
"/post_action_users.json",
described_class::INDEX_LIMIT
end
it "does not include total_rows_post_action_users for restricted action types" do
notify_mod = PostActionType.types[:notify_moderators]
PostActionCreator.new(post.user, post, notify_mod, message: "first report").perform
PostActionCreator.new(
Fabricate(:user, refresh_auto_groups: true),
post,
notify_mod,
message: "second report",
).perform
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: notify_mod,
limit: 1,
}
expect(response.status).to eq(200)
expect(response.parsed_body["post_action_users"].map { |u| u["id"] }).to eq([user.id])
expect(response.parsed_body["total_rows_post_action_users"]).to be_nil
end
it "includes total_rows_post_action_users for restricted action types when staff" do
notify_mod = PostActionType.types[:notify_moderators]
PostActionCreator.new(post.user, post, notify_mod, message: "first report").perform
PostActionCreator.new(
Fabricate(:user, refresh_auto_groups: true),
post,
notify_mod,
message: "second report",
).perform
sign_in(Fabricate(:admin))
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: notify_mod,
limit: 1,
}
expect(response.status).to eq(200)
expect(response.parsed_body["post_action_users"].map { |u| u["id"] }).to eq([user.id])
expect(response.parsed_body["total_rows_post_action_users"]).to eq(2)
end
end
context "with render" do
it "always allows you to see your own actions" do
notify_mod = PostActionType.types[:notify_moderators]
PostActionCreator.new(
post.user,
post,
notify_mod,
message: "well something is wrong here!",
).perform
PostActionCreator.new(
Fabricate(:user),
post,
notify_mod,
message: "well something is not wrong here!",
).perform
get "/post_action_users.json", params: { id: post.id, post_action_type_id: notify_mod }
expect(response.status).to eq(200)
users = response.parsed_body["post_action_users"]
expect(users.length).to eq(1)
expect(users[0]["id"]).to eq(post.user.id)
end
end
it "raises an error without an id" do
get "/post_action_users.json", params: { post_action_type_id: PostActionType.types[:like] }
expect(response.status).to eq(400)
end
it "raises an error without a post action type" do
get "/post_action_users.json", params: { id: post.id }
expect(response.status).to eq(400)
end
it "fails when the user doesn't have permission to see the post" do
post.trash!
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
}
expect(response).to be_forbidden
end
it "raises an error when anon tries to look at an invalid action" do
get "/post_action_users.json",
params: {
id: Fabricate(:post).id,
post_action_type_id: PostActionType.types[:notify_moderators],
}
expect(response).to be_forbidden
end
it "succeeds" do
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
}
expect(response.status).to eq(200)
end
it "will return an unknown attribute for muted users" do
ignored_user = Fabricate(:user)
PostActionCreator.like(ignored_user, post)
regular_user = Fabricate(:user)
PostActionCreator.like(regular_user, post)
Fabricate(:ignored_user, user: user, ignored_user: ignored_user)
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
}
expect(response.status).to eq(200)
json_users = response.parsed_body["post_action_users"]
expect(json_users.find { |u| u["id"] == regular_user.id }["unknown"]).to be_blank
expect(json_users.find { |u| u["id"] == ignored_user.id }["unknown"]).to eq(true)
end
it "does not hide users from the like list when they are not in the actor's PM allowlist" do
user_not_in_allowlist = Fabricate(:user)
user_in_allowlist = Fabricate(:user)
PostActionCreator.like(user_not_in_allowlist, post)
PostActionCreator.like(user_in_allowlist, post)
user.user_option.update!(enable_allowed_pm_users: true)
AllowedPmUser.create!(user: user, allowed_pm_user: user_in_allowlist)
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
}
expect(response.status).to eq(200)
json_users = response.parsed_body["post_action_users"]
expect(json_users.find { |u| u["id"] == user_not_in_allowlist.id }).to be_present
expect(json_users.find { |u| u["id"] == user_in_allowlist.id }).to be_present
expect(json_users.find { |u| u["id"] == user_not_in_allowlist.id }["unknown"]).to be_blank
expect(json_users.find { |u| u["id"] == user_in_allowlist.id }["unknown"]).to be_blank
end
it "paginates post actions" do
user_ids = []
5.times do
user = Fabricate(:user)
user_ids << user["id"]
PostActionCreator.like(user, post)
end
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
page: 1,
limit: 2,
}
users = response.parsed_body["post_action_users"]
total = response.parsed_body["total_rows_post_action_users"]
expect(users.length).to eq(2)
expect(users.map { |u| u["id"] }).to eq(user_ids[2..3])
expect(total).to eq(5)
end
it "returns no users when the action type id is invalid" do
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: "invalid_action_type",
}
expect(response.status).to eq(200)
users = response.parsed_body["post_action_users"]
total = response.parsed_body["total_rows_post_action_users"]
expect(users.length).to eq(0)
expect(total).to be_nil
end
describe "when a plugin registers the :post_action_users_list modifier" do
before do
@post_action_1 = PostActionCreator.like(Fabricate(:user), post).post_action
@post_action_2 = PostActionCreator.like(Fabricate(:user), post).post_action
end
after { DiscoursePluginRegistry.clear_modifiers! }
it "allows the plugin to modify the post action query" do
excluded_post_action_ids = [@post_action_1.id]
Plugin::Instance
.new
.register_modifier(:post_action_users_list) do |query, modifier_post|
expect(modifier_post.id).to eq(post.id)
query.where.not(post_actions: { id: excluded_post_action_ids })
end
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
}
expect(response.status).to eq(200)
expect(response.parsed_body["post_action_users"].count).to eq(1)
DiscoursePluginRegistry.clear_modifiers!
get "/post_action_users.json",
params: {
id: post.id,
post_action_type_id: PostActionType.types[:like],
}
expect(response.status).to eq(200)
expect(response.parsed_body["post_action_users"].count).to eq(2)
end
end
end
View git blame Copy permalink