mirror/php-flarum
1
0
Fork 0
mirror of https://github.com/flarum/core.git synced 2025-08-08 17:36:38 +02:00
Code Issues Releases Wiki Activity

Merge pull request from GHSA-22m9-m3ww-53h3

Browse Source 
* fix: check post visibility when mentioning

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

* fix: `mentionsPosts` include is not used and leaks private posts

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

* chre: use `PostRepository`

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>

Signed-off-by: Sami Mazouz <sychocouldy@gmail.com>
This commit is contained in:
Sami Mazouz
2023-01-10 12:43:46 +01:00
parent 8a65ad980d
commit 132fdea659
6 changed files with 52 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
extensions/mentions/tests/integration/api/PostMentionsTest.php
View File

@@ -38,6 +38,7 @@ class PostMentionsTest extends TestCase
],
'discussions' => [
['id' => 2, 'title' => __CLASS__, 'created_at' => Carbon::now(), 'last_posted_at' => Carbon::now(), 'user_id' => 3, 'first_post_id' => 4, 'comment_count' => 2],
['id' => 50, 'title' => __CLASS__, 'is_private' => true, 'created_at' => Carbon::now(), 'last_posted_at' => Carbon::now(), 'user_id' => 3, 'first_post_id' => 4, 'comment_count' => 1],
],
'posts' => [
['id' => 4, 'number' => 2, 'discussion_id' => 2, 'created_at' => Carbon::now(), 'user_id' => 3, 'type' => 'comment', 'content' => '<r><POSTMENTION displayname="TobyFlarum___" id="5" number="2" discussionid="2" username="toby">@tobyuuu#5</POSTMENTION></r>'],
@@ -49,6 +50,9 @@ class PostMentionsTest extends TestCase
['id' => 10, 'number' => 11, 'discussion_id' => 2, 'created_at' => Carbon::now(), 'user_id' => 4, 'type' => 'comment', 'content' => '<r><POSTMENTION displayname="Bad &quot;#p6 User" id="9" number="10" discussionid="2">@"Bad "#p6 User"#p9</POSTMENTION></r>'],
['id' => 11, 'number' => 12, 'discussion_id' => 2, 'created_at' => Carbon::now(), 'user_id' => 40, 'type' => 'comment', 'content' => '<r><POSTMENTION displayname="Bad &quot;#p6 User" id="9" number="10" discussionid="2">@"Bad "#p6 User"#p9</POSTMENTION></r>'],
['id' => 12, 'number' => 13, 'discussion_id' => 2, 'created_at' => Carbon::now(), 'user_id' => 4, 'type' => 'comment', 'content' => '<r><POSTMENTION displayname="deleted_user" id="11" number="12" discussionid="2">@"acme"#p11</POSTMENTION></r>'],
// Restricted access
['id' => 50, 'number' => 1, 'discussion_id' => 50, 'created_at' => Carbon::now(), 'user_id' => 3, 'type' => 'comment', 'content' => '<r>no</r>'],
],
'post_mentions_post' => [
['post_id' => 4, 'mentions_post_id' => 5],
@@ -128,6 +132,37 @@ class PostMentionsTest extends TestCase
$this->assertNotNull(CommentPost::find($response['data']['id'])->mentionsPosts->find(4));
}
/**
* @test
*/
public function cannot_mention_a_post_without_access()
{
$response = $this->send(
$this->request('POST', '/api/posts', [
'authenticatedAs' => 1,
'json' => [
'data' => [
'attributes' => [
'content' => '@"potato"#p50',
],
'relationships' => [
'discussion' => ['data' => ['id' => 2]],
],
],
],
])
);
$this->assertEquals(201, $response->getStatusCode());
$response = json_decode($response->getBody(), true);
$this->assertStringContainsString('potato', $response['data']['attributes']['contentHtml']);
$this->assertEquals('@"potato"#p50', $response['data']['attributes']['content']);
$this->assertStringNotContainsString('PostMention', $response['data']['attributes']['contentHtml']);
$this->assertNull(CommentPost::find($response['data']['id'])->mentionsPosts->find(50));
}
/**
* @test
*/