Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-26 11:12:53 +08:00
Code Packages Activity Actions
discourse/plugins/chat/spec/serializer
History
Exact
Nat ea2971a5aa SECURITY: Chat authorization and disclosure fixes 
This PR contains a few chat patches:

- https://patch.discourse.org/patch-triage/1081
   - Read-only category users could create chat threads via `Chat::CreateThread`. Tightened `can_create_thread_in_channel` to require `can_join_chat_channel?` for category channels and the full `Chat::Channel::Policy::MessageCreation` for DMs, plus a 403 handler for the failed policy.
   - `channel_threads_controller.rb`, `create_thread.rb`, `channel_threads_controller_spec.rb`, `create_thread_spec.rb`

- https://patch.discourse.org/patch-triage/1086
   - A user could restore their own self-deleted chat message after losing access to the channel (group revoked, DM membership removed). Added a `can_preview_chat_channel?` short-circuit inside the self-deletion branch of `can_restore_chat?`.
   - `guardian_extensions.rb`, `guardian_extensions_spec.rb`, `channel_messages_controller_spec.rb`

- https://patch.discourse.org/patch-triage/1049
     - Reviewable chat messages exposed unrelated current `last_message` content of a flagged DM channel to moderators (who aren't members). Added an
  `include_last_message?` predicate on `Chat::ChannelSerializer` gated by `can_preview_chat_channel?`, which is false for DM non-members but stays true
  for read-only category members so they keep seeing channel previews.
     - `channel_serializer.rb`, `channel_serializer_spec.rb`, `reviewables_controller_spec.rb`

- https://patch.discourse.org/patch-triage/1047 + https://patch.discourse.org/patch-triage/1053
     - The calendar event API leaked the chat channel block (and its `last_message` body) to anonymous viewers and any user without chat access. Gated
  `include_channel?` with `can_chat? && can_preview_chat_channel?` (excludes anonymous and users not in `chat_allowed_groups`, while preserving read-only
  category access) and passed membership through to the channel serializer.
     - `discourse-calendar/app/serializers/discourse_post_event/event_serializer.rb`, `discourse-calendar/spec/requests/events_controller_spec.rb`

https://github.com/discourse/discourse/security/advisories/GHSA-rw8j-p2gv-q33w
2026-05-19 00:26:04 +01:00
..
chat SECURITY: Chat authorization and disclosure fixes 2026-05-19 00:26:04 +01:00
current_user_serializer_spec.rb DEV: add shortcut fab!(:variable, :fabricator) to specs (#33577) 2025-07-11 11:16:34 -03:00
user_serializer_spec.rb FEATURE: One-click chat reaction settings (#32150) 2025-04-04 09:15:13 +02:00