SECURITY: Hide invitees from users who are not allowed to see the event post (#544)

2024-02-22 11:32:47 +08:00 · 2024-02-22 11:32:47 +08:00 · 84ef46a38c
parent dfc4fa15f3
commit 84ef46a38c
3 changed files with 28 additions and 1 deletions
--- a/app/controllers/discourse_post_event/invitees_controller.rb
+++ b/app/controllers/discourse_post_event/invitees_controller.rb
@ -4,6 +4,7 @@ module DiscoursePostEvent
  class InviteesController < DiscoursePostEventController
    def index
      event = Event.find(params[:post_id])
+      guardian.ensure_can_see!(event.post)

      event_invitees = event.invitees

--- a/plugin.rb
+++ b/plugin.rb
@ -3,7 +3,7 @@
 # name: discourse-calendar
 # about: Adds the ability to create a dynamic calendar with events in a topic.
 # meta_topic_id: 97376
-# version: 0.3
+# version: 0.4
 # author: Daniel Waterworth, Joffrey Jaffeux
 # url: https://github.com/discourse/discourse-calendar

--- a/spec/requests/invitees_controller_spec.rb
+++ b/spec/requests/invitees_controller_spec.rb
@ -15,6 +15,32 @@ module DiscoursePostEvent
    let(:post_1) { Fabricate(:post, user: user, topic: topic_1) }

    describe "#index" do
+      context "for a post in a private category" do
+        let(:outside_user) { Fabricate(:user) }
+        let(:in_group_user) { Fabricate(:user) }
+        let(:group) { Fabricate(:group, users: [in_group_user]) }
+        let(:private_category) { Fabricate(:private_category, group:) }
+        let(:topic_1) { Fabricate(:topic, user: user, category: private_category) }
+        let(:post_1) { Fabricate(:post, user: user, topic: topic_1) }
+        let(:post_event_1) { Fabricate(:event, post: post_1) }
+
+        it "forbids non group user from seeing the list of invitees" do
+          sign_in(outside_user)
+
+          get "/discourse-post-event/events/#{post_event_1.id}/invitees.json"
+
+          expect(response.status).to eq(403)
+        end
+
+        it "allows group user to see the list of invitees" do
+          sign_in(in_group_user)
+
+          get "/discourse-post-event/events/#{post_event_1.id}/invitees.json"
+
+          expect(response.status).to eq(200)
+        end
+      end
+
      context "when params are included" do
        let(:invitee1) { Fabricate(:user, username: "Francis", name: "Francis") }
        let(:invitee2) { Fabricate(:user, username: "Francisco", name: "Francisco") }