discourse

mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-26 19:22:18 +08:00

History

Joffrey JAFFEUX 9a8b16f76a FIX: Missing guardian check on target visibility in `unassign` and `assign` (#37755 ) Any user with assign permission could unassign/assign topics/posts they cannot see (private categories, PMs they're not part of). This is treated as a bug and not security due to the high status assigners already have and the limited impact the action has. You would get a 200 and `{ success: true }` response which doesn't leak any important information. So in practice it could only allow a high trusted user to be disruptive.	2026-02-12 11:15:03 +01:00
..
assign_controller.rb	FIX: Missing guardian check on target visibility in `unassign` and `assign` (#37755 )	2026-02-12 11:15:03 +01:00

Joffrey JAFFEUX 9a8b16f76a

FIX: Missing guardian check on target visibility in unassign and assign (#37755 )

Any user with assign permission could unassign/assign topics/posts they
cannot see (private categories, PMs they're not part of). This is
treated as a bug and not security due to the high status assigners
already have and the limited impact the action has. You would get a 200
and `{ success: true }` response which doesn't leak any important
information. So in practice it could only allow a high trusted user to
be disruptive.

2026-02-12 11:15:03 +01:00

assign_controller.rb FIX: Missing guardian check on target visibility in unassign and assign (#37755 ) 2026-02-12 11:15:03 +01:00

菲码源库

快速导航

产品服务

生态伙伴