Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-01 19:00:38 +08:00
Code Packages Activity Actions
discourse/plugins/discourse-policy/lib
History
Exact
Alan Guo Xiang Tan 451ed6aa98 SECURITY: Validate policy permissions on post save 
The `create_policy_allowed_groups` setting controls who can create
policies, but it only gates the composer UI and the
`post_process_cooked` event handler. It does not prevent unauthorized
users from injecting `[policy]` markup directly into post raw — for
example, by editing a wiki post.

Add `DiscoursePolicy::PostValidator` as an ActiveRecord validation on
`Post`. When policies are added, removed, or modified, both the post
owner and the acting user must belong to `create_policy_allowed_groups`
or the save is rejected. Policies inside blockquotes are ignored.
2026-03-19 15:21:28 +00:00
..
discourse_policy DEV: Clean up scope resolution operators in plugins (#34979) 2025-09-30 14:36:34 +02:00
email_controller_helper
extensions
policy_mailer.rb
post_validator.rb SECURITY: Validate policy permissions on post save 2026-03-19 15:21:28 +00:00