Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-27 18:59:19 +08:00
Code Packages Activity Actions
discourse/spec/requests/reviewable_claimed_topics_controller_spec.rb
Isaac Janzen 0e690370b4 SECURITY: Require topic visibility for category group moderator actions 
Category group moderators could perform privileged actions (claim/unclaim reviewables, delete topics, recover topics, edit posts) on topics inside private categories they did not have read access to. The authorization methods checked `is_category_group_moderator?` without first verifying `can_see_topic?`, and the controllers loaded topics/posts by raw ID without visibility scoping.

This adds `can_see_topic?` guards to `can_review_topic?`, `can_delete_topic?`, `can_recover_topic?`, and `can_edit_post?` so that category group moderation power never bypasses category read restrictions.

---

**Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-hjmg-2mww-vfvx
2026-05-19 00:26:04 +01:00

437 lines
15 KiB
Ruby
Vendored
Raw Permalink Blame History

# frozen_string_literal: true
RSpec.describe ReviewableClaimedTopicsController do
fab!(:moderator)
fab!(:topic)
fab!(:automatic_topic, :topic)
fab!(:reviewable) { Fabricate(:reviewable_flagged_post, topic: topic) }
fab!(:automatic_reviewable) { Fabricate(:reviewable_flagged_post, topic: automatic_topic) }
describe "#create" do
let(:params) { { reviewable_claimed_topic: { topic_id: topic.id } } }
it "requires user to be logged in" do
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(403)
end
context "when logged in as a category group moderator who cannot see the topic" do
fab!(:mod_group, :group)
fab!(:cat_mod_user, :user)
fab!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
fab!(:private_topic) { Fabricate(:topic, category: private_category) }
fab!(:private_reviewable) { Fabricate(:reviewable_flagged_post, topic: private_topic) }
before do
SiteSetting.enable_category_group_moderation = true
SiteSetting.reviewable_claiming = "optional"
Fabricate(:category_moderation_group, category: private_category, group: mod_group)
mod_group.add(cat_mod_user)
sign_in(cat_mod_user)
end
it "prevents claiming a topic the user cannot see" do
post "/reviewable_claimed_topics.json",
params: {
reviewable_claimed_topic: {
topic_id: private_topic.id,
},
}
expect(response.status).to eq(403)
expect(
ReviewableClaimedTopic.where(
user_id: cat_mod_user.id,
topic_id: private_topic.id,
).exists?,
).to eq(false)
end
it "prevents claiming a topic the user cannot see with automatic param" do
post "/reviewable_claimed_topics.json",
params: {
reviewable_claimed_topic: {
topic_id: private_topic.id,
automatic: "true",
},
}
expect(response.status).to eq(403)
expect(
ReviewableClaimedTopic.where(
user_id: cat_mod_user.id,
topic_id: private_topic.id,
).exists?,
).to eq(false)
end
it "prevents claiming a deleted topic the user cannot see" do
first_post = private_topic.first_post || Fabricate(:post, topic: private_topic)
PostDestroyer.new(Discourse.system_user, first_post, context: "Automated testing").destroy
post "/reviewable_claimed_topics.json",
params: {
reviewable_claimed_topic: {
topic_id: private_topic.id,
},
}
expect(response.status).to eq(403)
expect(
ReviewableClaimedTopic.where(
user_id: cat_mod_user.id,
topic_id: private_topic.id,
).exists?,
).to eq(false)
end
end
context "when logged in as a category group moderator who can see the topic" do
fab!(:mod_group, :group)
fab!(:cat_mod_user, :user)
fab!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
fab!(:private_topic) { Fabricate(:topic, category: private_category) }
fab!(:private_reviewable) { Fabricate(:reviewable_flagged_post, topic: private_topic) }
before do
SiteSetting.enable_category_group_moderation = true
SiteSetting.reviewable_claiming = "optional"
private_category.set_permissions(mod_group => :full)
private_category.save!
Fabricate(:category_moderation_group, category: private_category, group: mod_group)
mod_group.add(cat_mod_user)
sign_in(cat_mod_user)
end
it "allows claiming a topic the user can see" do
post "/reviewable_claimed_topics.json",
params: {
reviewable_claimed_topic: {
topic_id: private_topic.id,
},
}
expect(response.status).to eq(200)
expect(
ReviewableClaimedTopic.where(
user_id: cat_mod_user.id,
topic_id: private_topic.id,
).exists?,
).to eq(true)
end
end
context "when logged in" do
before do
SiteSetting.reviewable_claiming = "optional"
sign_in(moderator)
end
it "works" do
messages =
MessageBus.track_publish("/reviewable_claimed") do
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(200)
end
expect(
ReviewableClaimedTopic.where(user_id: moderator.id, topic_id: topic.id).exists?,
).to eq(true)
expect(
topic
.reviewables
.first
.history
.where(reviewable_history_type: ReviewableHistory.types[:claimed])
.size,
).to eq(1)
expect(messages.size).to eq(1)
message = messages[0]
expect(message.data[:topic_id]).to eq(topic.id)
expect(message.data[:user][:id]).to eq(moderator.id)
expect(message.data[:claimed]).to be true
expect(message.group_ids).to contain_exactly(Group::AUTO_GROUPS[:staff])
end
it "publishes reviewable claimed changes to the category moderators of the topic's category" do
SiteSetting.enable_category_group_moderation = true
SiteSetting.reviewable_claiming = "optional"
group = Fabricate(:group)
Fabricate(:category_moderation_group, category: topic.category, group:)
messages =
MessageBus.track_publish("/reviewable_claimed") do
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(200)
end
expect(messages.size).to eq(1)
message = messages[0]
expect(message.data[:topic_id]).to eq(topic.id)
expect(message.data[:user][:id]).to eq(moderator.id)
expect(message.group_ids).to contain_exactly(Group::AUTO_GROUPS[:staff], group.id)
end
it "works with deleted topics" do
first_post = topic.first_post || Fabricate(:post, topic: topic)
PostDestroyer.new(Discourse.system_user, first_post, context: "Automated testing").destroy
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(200)
expect(
ReviewableClaimedTopic.where(user_id: moderator.id, topic_id: topic.id).exists?,
).to eq(true)
end
it "raises an error if user cannot claim the topic" do
SiteSetting.reviewable_claiming = "disabled"
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(403)
end
it "allows claiming when automatic param is present" do
SiteSetting.reviewable_claiming = "disabled"
params[:reviewable_claimed_topic][:topic_id] = automatic_topic.id
params[:reviewable_claimed_topic][:automatic] = "true"
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(200)
expect(
ReviewableClaimedTopic.where(user_id: moderator.id, topic_id: automatic_topic.id).exists?,
).to eq(true)
end
it "raises an error if topic is already claimed" do
post "/reviewable_claimed_topics.json", params: params
expect(
ReviewableClaimedTopic.where(user_id: moderator.id, topic_id: topic.id).exists?,
).to eq(true)
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(409)
end
it "queues a sidekiq job to refresh reviewable counts for users who can see the reviewable" do
SiteSetting.navigation_menu = "sidebar"
SiteSetting.enable_category_group_moderation = true
not_notified = Fabricate(:user)
group = Fabricate(:group)
Fabricate(:category_moderation_group, category: topic.category, group:)
notified = Fabricate(:user)
group.add(notified)
expect_enqueued_with(
job: :refresh_users_reviewable_counts,
args: {
group_ids: [Group::AUTO_GROUPS[:staff], group.id],
},
) do
post "/reviewable_claimed_topics.json", params: params
expect(response.status).to eq(200)
end
end
end
end
describe "#destroy" do
fab!(:claimed) { Fabricate(:reviewable_claimed_topic, topic: topic) }
fab!(:automatic_claimed) do
Fabricate(:reviewable_claimed_topic, topic: automatic_topic, automatic: true)
end
context "when logged in as a regular user" do
fab!(:user)
before { sign_in(user) }
it "returns 404 for both existing and non-existing topics to prevent enumeration" do
SiteSetting.reviewable_claiming = "optional"
delete "/reviewable_claimed_topics/#{topic.id}.json"
existing_topic_status = response.status
delete "/reviewable_claimed_topics/#{topic.id + 1000}.json"
non_existing_topic_status = response.status
expect(existing_topic_status).to eq(404)
expect(non_existing_topic_status).to eq(404)
end
end
context "when logged in as a category group moderator who cannot see the topic" do
fab!(:mod_group, :group)
fab!(:cat_mod_user, :user)
fab!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
fab!(:private_topic) { Fabricate(:topic, category: private_category) }
fab!(:private_claimed) { Fabricate(:reviewable_claimed_topic, topic: private_topic) }
before do
SiteSetting.enable_category_group_moderation = true
SiteSetting.reviewable_claiming = "optional"
Fabricate(:category_moderation_group, category: private_category, group: mod_group)
mod_group.add(cat_mod_user)
sign_in(cat_mod_user)
end
it "prevents unclaiming a topic the user cannot see" do
delete "/reviewable_claimed_topics/#{private_topic.id}.json"
expect(response.status).to eq(404)
expect(ReviewableClaimedTopic.where(topic_id: private_topic.id).exists?).to eq(true)
end
it "prevents unclaiming a deleted topic the user cannot see" do
first_post = private_topic.first_post || Fabricate(:post, topic: private_topic)
PostDestroyer.new(Discourse.system_user, first_post, context: "Automated testing").destroy
delete "/reviewable_claimed_topics/#{private_topic.id}.json"
expect(response.status).to eq(404)
expect(ReviewableClaimedTopic.where(topic_id: private_topic.id).exists?).to eq(true)
end
end
context "when logged in as a category group moderator who can see the topic" do
fab!(:mod_group, :group)
fab!(:cat_mod_user, :user)
fab!(:private_category) { Fabricate(:private_category, group: Fabricate(:group)) }
fab!(:private_topic) { Fabricate(:topic, category: private_category) }
fab!(:private_claimed) { Fabricate(:reviewable_claimed_topic, topic: private_topic) }
before do
SiteSetting.enable_category_group_moderation = true
SiteSetting.reviewable_claiming = "optional"
private_category.set_permissions(mod_group => :full)
private_category.save!
Fabricate(:category_moderation_group, category: private_category, group: mod_group)
mod_group.add(cat_mod_user)
sign_in(cat_mod_user)
end
it "allows unclaiming a topic the user can see" do
delete "/reviewable_claimed_topics/#{private_topic.id}.json"
expect(response.status).to eq(200)
expect(ReviewableClaimedTopic.where(topic_id: private_topic.id).exists?).to eq(false)
end
end
before { sign_in(moderator) }
it "works" do
SiteSetting.reviewable_claiming = "optional"
messages =
MessageBus.track_publish("/reviewable_claimed") do
delete "/reviewable_claimed_topics/#{claimed.topic_id}.json"
expect(response.status).to eq(200)
end
expect(ReviewableClaimedTopic.where(topic_id: claimed.topic_id).exists?).to eq(false)
expect(
topic
.reviewables
.first
.history
.where(reviewable_history_type: ReviewableHistory.types[:unclaimed])
.size,
).to eq(1)
expect(messages.size).to eq(1)
message = messages[0]
expect(message.data[:topic_id]).to eq(topic.id)
expect(message.data[:user][:id]).to eq(moderator.id)
expect(message.data[:claimed]).to be false
expect(message.group_ids).to contain_exactly(Group::AUTO_GROUPS[:staff])
end
it "works with deleted topics" do
SiteSetting.reviewable_claiming = "optional"
first_post = topic.first_post || Fabricate(:post, topic: topic)
PostDestroyer.new(Discourse.system_user, first_post, context: "Automated testing").destroy
delete "/reviewable_claimed_topics/#{claimed.topic_id}.json"
expect(response.status).to eq(200)
expect(ReviewableClaimedTopic.where(user_id: moderator.id, topic_id: topic.id).exists?).to eq(
false,
)
end
it "raises an error if topic is missing" do
delete "/reviewable_claimed_topics/111111111.json"
expect(response.status).to eq(404)
end
it "returns 404 if user cannot claim the topic" do
delete "/reviewable_claimed_topics/#{claimed.topic_id}.json"
expect(response.status).to eq(404)
end
it "allows unclaiming when automatic param is present" do
SiteSetting.reviewable_claiming = "disabled"
delete "/reviewable_claimed_topics/#{automatic_claimed.topic_id}.json?automatic=true"
expect(response.status).to eq(200)
expect(
ReviewableClaimedTopic.where(user_id: moderator.id, topic_id: automatic_topic.id).exists?,
).to eq(false)
end
it "queues a sidekiq job to refresh reviewable counts for users who can see the reviewable" do
SiteSetting.reviewable_claiming = "optional"
SiteSetting.navigation_menu = "sidebar"
SiteSetting.enable_category_group_moderation = true
not_notified = Fabricate(:user)
group = Fabricate(:group)
Fabricate(:category_moderation_group, category: topic.category, group:)
notified = Fabricate(:user)
group.add(notified)
expect_enqueued_with(
job: :refresh_users_reviewable_counts,
args: {
group_ids: [Group::AUTO_GROUPS[:staff], group.id],
},
) do
delete "/reviewable_claimed_topics/#{claimed.topic_id}.json"
expect(response.status).to eq(200)
end
end
it "does not log unclaimed history when topic was not claimed" do
SiteSetting.reviewable_claiming = "optional"
claimed.destroy!
delete "/reviewable_claimed_topics/#{topic.id}.json"
expect(response.status).to eq(200)
expect(
topic
.reviewables
.first
.history
.where(reviewable_history_type: ReviewableHistory.types[:unclaimed])
.size,
).to eq(0)
end
end
end
View git blame Copy permalink