discourse
/
discourse-assign
mirror of https://github.com/discourse/discourse-assign.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: ensure that assignee is participant of pm (#349) 

We are already checking that assignee has access to the private message. However, admin still can be assigned as technically they have access.

We should ensure that assignee has direct access to the message.
This commit is contained in:
Krzysztof Kotlarek 2022-06-16 10:08:22 +10:00 committed by GitHub
parent af49e987de
commit 0b5f688451
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
lib/assigner.rb
View File

@ -160,7 +160,12 @@ class ::Assigner
@post_target ||= @target.is_a?(Post)
end
def private_message_allowed_user_ids
@private_message_allowed_user_ids ||= topic.all_allowed_users.pluck(:id)
end
def can_assignee_see_target?(assignee)
return false if (topic_target? || post_target?) && topic.private_message? && !private_message_allowed_user_ids.include?(assignee.id)
return Guardian.new(assignee).can_see_topic?(@target) if topic_target?
return Guardian.new(assignee).can_see_post?(@target) if post_target?

14
spec/lib/assigner_spec.rb
View File

@ -16,6 +16,7 @@ RSpec.describe Assigner do
let(:secure_topic) { Fabricate(:post).topic.tap { |t| t.update(category: secure_category) } }
let(:moderator) { Fabricate(:moderator, groups: [assign_allowed_group]) }
let(:moderator_2) { Fabricate(:moderator, groups: [assign_allowed_group]) }
let(:admin) { Fabricate(:admin) }
let(:assigner) { described_class.new(topic, moderator_2) }
let(:assigner_self) { described_class.new(topic, moderator) }
@ -231,11 +232,24 @@ RSpec.describe Assigner do
expect(assign[:reason]).to eq(:forbidden_assignee_not_pm_participant)
end
it 'fails to assign when the assigned admin cannot view the pm' do
assign = described_class.new(pm, moderator_2).assign(admin)
expect(assign[:success]).to eq(false)
expect(assign[:reason]).to eq(:forbidden_assignee_not_pm_participant)
end
it 'fails to assign when not all group members has access to pm' do
assign = described_class.new(pm, moderator_2).assign(moderator.groups.first)
expect(assign[:success]).to eq(false)
expect(assign[:reason]).to eq(:forbidden_group_assignee_not_pm_participant)
# even when admin
assign = described_class.new(pm, moderator_2).assign(admin.groups.first)
expect(assign[:success]).to eq(false)
expect(assign[:reason]).to eq(:forbidden_group_assignee_not_pm_participant)
end
it 'fails to assign when the assigned user cannot view the topic' do

1
spec/lib/topic_query_spec.rb
View File

@ -24,6 +24,7 @@ describe TopicQuery do
[user_pm, admin_pm, other_admin_pm].each do |topic|
Fabricate(:post, topic: topic)
end
Fabricate(:topic_allowed_user, user: admin, topic: user_pm)
Assigner.new(user_pm, Discourse.system_user).assign(admin)
Assigner.new(admin_pm, Discourse.system_user).assign(admin)