Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-26 20:54:27 +08:00
Code Packages Activity Actions
discourse/plugins/chat/app/controllers/chat
History
Exact
Nat ea2971a5aa SECURITY: Chat authorization and disclosure fixes 
This PR contains a few chat patches:

- https://patch.discourse.org/patch-triage/1081
   - Read-only category users could create chat threads via `Chat::CreateThread`. Tightened `can_create_thread_in_channel` to require `can_join_chat_channel?` for category channels and the full `Chat::Channel::Policy::MessageCreation` for DMs, plus a 403 handler for the failed policy.
   - `channel_threads_controller.rb`, `create_thread.rb`, `channel_threads_controller_spec.rb`, `create_thread_spec.rb`

- https://patch.discourse.org/patch-triage/1086
   - A user could restore their own self-deleted chat message after losing access to the channel (group revoked, DM membership removed). Added a `can_preview_chat_channel?` short-circuit inside the self-deletion branch of `can_restore_chat?`.
   - `guardian_extensions.rb`, `guardian_extensions_spec.rb`, `channel_messages_controller_spec.rb`

- https://patch.discourse.org/patch-triage/1049
     - Reviewable chat messages exposed unrelated current `last_message` content of a flagged DM channel to moderators (who aren't members). Added an
  `include_last_message?` predicate on `Chat::ChannelSerializer` gated by `can_preview_chat_channel?`, which is false for DM non-members but stays true
  for read-only category members so they keep seeing channel previews.
     - `channel_serializer.rb`, `channel_serializer_spec.rb`, `reviewables_controller_spec.rb`

- https://patch.discourse.org/patch-triage/1047 + https://patch.discourse.org/patch-triage/1053
     - The calendar event API leaked the chat channel block (and its `last_message` body) to anonymous viewers and any user without chat access. Gated
  `include_channel?` with `can_chat? && can_preview_chat_channel?` (excludes anonymous and users not in `chat_allowed_groups`, while preserving read-only
  category access) and passed membership through to the channel serializer.
     - `discourse-calendar/app/serializers/discourse_post_event/event_serializer.rb`, `discourse-calendar/spec/requests/events_controller_spec.rb`

https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w
2026-05-19 00:26:04 +01:00
..
admin DEV: Clean up scope resolution operators in plugins (#34979) 2025-09-30 14:36:34 +02:00
api SECURITY: Chat authorization and disclosure fixes 2026-05-19 00:26:04 +01:00
api_controller.rb DEV: Drop WithServiceHelper 2024-09-05 09:58:20 +02:00
base_controller.rb DEV: Clean up scope resolution operators in plugins (#34979) 2025-09-30 14:36:34 +02:00
chat_controller.rb DEV: Move chat message rebake into a service object (#38020) 2026-02-24 14:11:21 +01:00
direct_messages_controller.rb FIX: ensures we fetch the direct message channel (#37767) 2026-02-12 16:09:30 +01:00
incoming_webhooks_controller.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00