Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-01 14:54:42 +08:00
Code Packages Activity Actions
discourse/plugins/poll/lib
History
Exact
Isaac Janzen d74ff25db9 SECURITY: Check topic visibility before allowing poll interactions 
## Summary

- Adds a `guardian.can_see_topic?` check in `DiscoursePoll::Poll` to prevent users from interacting with polls on topics they can no longer access
- Covers the case where a user loses group membership for a private category but could still toggle poll status via the API
- Adds integration test verifying poll toggle is blocked after group removal

---

**Security Advisory:** https://github.com/discourse/discourse/security/advisories/GHSA-wq58-pvf6-w4p8
2026-03-31 15:12:45 +01:00
..
poll DEV: Clean up scope resolution operators in plugins (#34979) 2025-09-30 14:36:34 +02:00
poll.rb SECURITY: Check topic visibility before allowing poll interactions 2026-03-31 15:12:45 +01:00
polls_updater.rb FEATURE: dynamic poll support (#34368) 2025-08-19 16:43:36 +10:00
polls_validator.rb DEV: Clean up scope resolution operators in plugins (#34979) 2025-09-30 14:36:34 +02:00
post_extension.rb FEATURE: dynamic poll support (#34368) 2025-08-19 16:43:36 +10:00
post_validator.rb DEV: Move core plugin TL -> group settings (#25355) 2024-01-23 11:35:14 +10:00
ranked_choice.rb FIX: poll ranked choice result algo majority check (#28191) 2024-08-02 08:51:26 +02:00
user_extension.rb DEV: Update rubocop-discourse to latest version 2024-03-04 15:08:35 +01:00