From 99c2b75dd40557f7d8bb877afe95fdc3bab5b866 Mon Sep 17 00:00:00 2001 From: Alan Guo Xiang Tan Date: Fri, 23 Jul 2021 14:50:28 +0800 Subject: [PATCH] SECURITY: Don't leak user of previous whisper post when deleting a topic. A topic's last poster can be incorrectly set to a user of a whisper post if the whisper post is before the last post and the last post is deleted. --- lib/post_destroyer.rb | 1 + spec/components/post_destroyer_spec.rb | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/lib/post_destroyer.rb b/lib/post_destroyer.rb index 04d8c6d7b5..496f7bbded 100644 --- a/lib/post_destroyer.rb +++ b/lib/post_destroyer.rb @@ -258,6 +258,7 @@ class PostDestroyer .select(:created_at, :user_id, :post_number) .where("topic_id = ? and id <> ?", @post.topic_id, @post.id) .where.not(user_id: nil) + .where.not(post_type: Post.types[:whisper]) .order('created_at desc') .limit(1) .first diff --git a/spec/components/post_destroyer_spec.rb b/spec/components/post_destroyer_spec.rb index e9a005d6f0..9cfc49bd37 100644 --- a/spec/components/post_destroyer_spec.rb +++ b/spec/components/post_destroyer_spec.rb @@ -616,6 +616,22 @@ describe PostDestroyer do end end + describe "deleting a post directly after a whisper" do + before do + SiteSetting.enable_whispers = true + end + + it 'should not set Topic#last_post_user_id to a whisperer' do + post_1 = create_post(topic: post.topic, user: moderator) + whisper_1 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper]) + whisper_2 = create_post(topic: post.topic, user: Fabricate(:user), post_type: Post.types[:whisper]) + + PostDestroyer.new(admin, whisper_2).destroy + + expect(post.topic.reload.last_post_user_id).to eq(post_1.user.id) + end + end + context 'deleting the second post in a topic' do fab!(:user) { Fabricate(:user) }