Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-06 16:31:57 +08:00
Code Packages Activity Actions
discourse/spec/services/user
History
Exact
Isaac Janzen 4b9ee0bc05 SECURITY: Enforce edit permissions and audit trail in TriggerPostAction 
The suspend/silence endpoint accepted an arbitrary post_id with
post_action "edit". Because the edit action had no guardian check,
a moderator could target any static doc post (ToS, guidelines, privacy
policy) — posts moderators are explicitly blocked from editing — even
ones unrelated to the user being suspended.

Add the missing can_edit_post? guardian check to the edit action,
consistent with the existing checks on delete and delete_replies.
2026-03-19 15:21:28 +00:00
..
action SECURITY: Enforce edit permissions and audit trail in TriggerPostAction 2026-03-19 15:21:28 +00:00
bulk_destroy_spec.rb DEV: Add missing specs to User::BulkDestroy 2025-04-08 11:42:51 +02:00
silence_spec.rb FIX: bug when silence user and do nothing to post (#33819) 2025-07-25 10:31:22 +08:00
suspend_spec.rb FEATURE: Add background job and ability to delete posts from suspend user modal (#36813) 2026-01-07 10:25:01 -06:00