Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-21 19:42:54 +08:00
Code Packages Activity Actions
discourse/plugins/chat/spec
History
Exact
Nat d327865476 SECURITY: Restrict public chat MessageBus broadcasts to chat-eligible users [backport 2026.4] 
Backport of #659 to release/2026.4.

---

Public category chat events were being published without MessageBus permissions, which meant anonymous or chat-disabled subscribers could receive chat payloads.

This scopes those broadcasts to the configured chat-allowed groups, and maps everyone to trust_level_0 so logged-in users still get updates without exposing them to anon clients.

https://github.com/discourse/discourse/security/advisories/GHSA-j7wq-rf5c-8783
2026-05-19 00:25:09 +01:00
..
components/chat FEATURE: separate chat emails from regular emails (#36018) 2025-11-13 16:44:07 +04:00
fabricators FEATURE: Pin chat messages (#37985) 2026-02-23 22:00:16 +01:00
integration DEV: Don't use fab! for non-ActiveRecord model objects (#39272) 2026-04-15 00:52:34 +02:00
jobs FEATURE: Pin chat messages (#37985) 2026-02-23 22:00:16 +01:00
lib SECURITY: Chat authorization and disclosure fixes [backport 2026.4] 2026-05-19 00:25:09 +01:00
mailers FEATURE: better email subject lines (#36040) 2026-04-24 15:14:10 +04:00
models FIX: Escape markdown characters in upload filenames (#39133) 2026-04-14 10:37:41 +02:00
queries/chat PERF: speed up chat channel and thread unread queries (#39398) 2026-04-22 14:57:56 +10:00
requests SECURITY: Chat authorization and disclosure fixes [backport 2026.4] 2026-05-19 00:25:09 +01:00
serializer SECURITY: Chat authorization and disclosure fixes [backport 2026.4] 2026-05-19 00:25:09 +01:00
services SECURITY: Restrict public chat MessageBus broadcasts to chat-eligible users [backport 2026.4] 2026-05-19 00:25:09 +01:00
support FEATURE: Pin chat messages (#37985) 2026-02-23 22:00:16 +01:00
system DEV: Restore and update chat preferences spec (#39583) 2026-04-27 17:35:31 +02:00
validators FEATURE: Add setting to prevent anonymous users from using chat (#31842) 2025-03-21 13:32:52 +03:00
plugin_helper.rb SECURITY: Restrict public chat MessageBus broadcasts to chat-eligible users [backport 2026.4] 2026-05-19 00:25:09 +01:00
plugin_spec.rb FIX: show chat DM button when personal messages are restricted (#37920) 2026-02-19 12:37:25 +01:00