SECURITY: make find topic by slug adhere to SiteSetting.detailed_404 (#9898)

2020-05-27 08:28:38 -10:00 · 2020-05-27 08:28:38 -10:00 · b6ff3b6a26
commit b6ff3b6a26
parent 745d1de40c
2 changed files with 17 additions and 0 deletions
--- a/app/controllers/topics_controller.rb
+++ b/app/controllers/topics_controller.rb
@ -946,6 +946,16 @@ class TopicsController < ApplicationController
  end

  def redirect_to_correct_topic(topic, post_number = nil)
+    begin
+      guardian.ensure_can_see!(topic)
+    rescue Discourse::InvalidAccess => ex
+      if !SiteSetting.detailed_404
+        raise Discourse::NotFound
+      else
+        raise ex
+      end
+    end
+
    url = topic.relative_url
    url << "/#{post_number}" if post_number.to_i > 0
    url << ".json" if request.format.json?
--- a/spec/requests/topics_controller_spec.rb
+++ b/spec/requests/topics_controller_spec.rb
@ -1,3 +1,4 @@
+# coding: utf-8
 # frozen_string_literal: true

 require 'rails_helper'
@ -1405,6 +1406,12 @@ RSpec.describe TopicsController do
            expect(response.status).to eq(value)
          end
        end
+
+        expected_slug_response = expected[:secure_topic] == 200 ? 301 : expected[:secure_topic]
+        it "will return a #{expected_slug_response} when requesting a secure topic by slug" do
+          get "/t/#{secure_topic.slug}"
+          expect(response.status).to eq(expected_slug_response)
+        end
      end

      context 'without detailed error pages' do