Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-21 19:42:54 +08:00
Code Packages Activity Actions
discourse/plugins/chat/app
History
Exact
Nat d327865476 SECURITY: Restrict public chat MessageBus broadcasts to chat-eligible users [backport 2026.4] 
Backport of #659 to release/2026.4.

---

Public category chat events were being published without MessageBus permissions, which meant anonymous or chat-disabled subscribers could receive chat payloads.

This scopes those broadcasts to the configured chat-allowed groups, and maps everyone to trust_level_0 so logged-in users still get updates without exposing them to anon clients.

https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783
2026-05-19 00:25:09 +01:00
..
controllers/chat SECURITY: Chat authorization and disclosure fixes [backport 2026.4] 2026-05-19 00:25:09 +01:00
jobs FEATURE: Pin chat messages (#37985) 2026-02-23 22:00:16 +01:00
models PERF: speed up chat channel and thread unread queries (#39398) 2026-04-22 14:57:56 +10:00
queries/chat PERF: speed up chat channel and thread unread queries (#39398) 2026-04-22 14:57:56 +10:00
serializers/chat SECURITY: Chat authorization and disclosure fixes [backport 2026.4] 2026-05-19 00:25:09 +01:00
services/chat SECURITY: Restrict public chat MessageBus broadcasts to chat-eligible users [backport 2026.4] 2026-05-19 00:25:09 +01:00
validators/chat FEATURE: Add setting to prevent anonymous users from using chat (#31842) 2025-03-21 13:32:52 +03:00
views PERF: fix performance of chat email notifications 2024-06-10 14:25:06 +02:00