Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-26 12:37:54 +08:00
Code Packages Activity Actions
discourse/plugins/chat/spec/lib
History
Exact
Nat ea2971a5aa SECURITY: Chat authorization and disclosure fixes 
This PR contains a few chat patches:

- https://patch.discourse.org/patch-triage/1081
   - Read-only category users could create chat threads via `Chat::CreateThread`. Tightened `can_create_thread_in_channel` to require `can_join_chat_channel?` for category channels and the full `Chat::Channel::Policy::MessageCreation` for DMs, plus a 403 handler for the failed policy.
   - `channel_threads_controller.rb`, `create_thread.rb`, `channel_threads_controller_spec.rb`, `create_thread_spec.rb`

- https://patch.discourse.org/patch-triage/1086
   - A user could restore their own self-deleted chat message after losing access to the channel (group revoked, DM membership removed). Added a `can_preview_chat_channel?` short-circuit inside the self-deletion branch of `can_restore_chat?`.
   - `guardian_extensions.rb`, `guardian_extensions_spec.rb`, `channel_messages_controller_spec.rb`

- https://patch.discourse.org/patch-triage/1049
     - Reviewable chat messages exposed unrelated current `last_message` content of a flagged DM channel to moderators (who aren't members). Added an
  `include_last_message?` predicate on `Chat::ChannelSerializer` gated by `can_preview_chat_channel?`, which is false for DM non-members but stays true
  for read-only category members so they keep seeing channel previews.
     - `channel_serializer.rb`, `channel_serializer_spec.rb`, `reviewables_controller_spec.rb`

- https://patch.discourse.org/patch-triage/1047 + https://patch.discourse.org/patch-triage/1053
     - The calendar event API leaked the chat channel block (and its `last_message` body) to anonymous viewers and any user without chat access. Gated
  `include_channel?` with `can_chat? && can_preview_chat_channel?` (excludes anonymous and users not in `chat_allowed_groups`, while preserving read-only
  category access) and passed membership through to the channel serializer.
     - `discourse-calendar/app/serializers/discourse_post_event/event_serializer.rb`, `discourse-calendar/spec/requests/events_controller_spec.rb`

https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w
2026-05-19 00:26:04 +01:00
..
chat SECURITY: Chat authorization and disclosure fixes 2026-05-19 00:26:04 +01:00
chat_sdk DEV: correctly handle contract error in chat sdk (#37446) 2026-02-02 12:14:52 +01:00
site_setting_extension_spec.rb FEATURE: Allow site settings to be edited throughout admin UI (#26154) 2024-03-18 08:50:39 +10:00
statistics_spec.rb FEATURE: participating users statistics (#28322) 2024-08-12 23:47:13 +02:00