From f4e319d230464a4378862dc16269a21632ca6b09 Mon Sep 17 00:00:00 2001 From: Alan Guo Xiang Tan Date: Thu, 5 Jan 2023 06:20:11 +0800 Subject: [PATCH] SECURITY: Don't expose user post counts to users who can't see the topic (#19740) Co-authored-by: Penar Musaraj Co-authored-by: Daniel Waterworth Co-authored-by: Penar Musaraj --- app/controllers/users_controller.rb | 2 +- spec/requests/users_controller_spec.rb | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb index 1cc1d0e2b4..f7debba784 100644 --- a/app/controllers/users_controller.rb +++ b/app/controllers/users_controller.rb @@ -72,7 +72,7 @@ class UsersController < ApplicationController user_serializer = serializer_class.new(@user, scope: guardian, root: 'user') topic_id = params[:include_post_count_for].to_i - if topic_id != 0 + if topic_id != 0 && guardian.can_see?(Topic.find_by_id(topic_id)) user_serializer.topic_post_count = { topic_id => Post.secured(guardian).where(topic_id: topic_id, user_id: @user.id).count } end else diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb index 9c451a2b88..238aa6bed2 100644 --- a/spec/requests/users_controller_spec.rb +++ b/spec/requests/users_controller_spec.rb @@ -4201,6 +4201,15 @@ RSpec.describe UsersController do expect(topic_post_count[topic.id.to_s]).to eq(1) end + it "doesn't include the post count when the signed in user doesn't have access" do + c = Fabricate(:category, read_restricted: true) + topic.update(category_id: c.id) + expect(Guardian.new(user1).can_see?(topic)).to eq(false) + get "/u/#{admin.username}.json", params: { include_post_count_for: topic.id } + topic_post_count = response.parsed_body.dig("user", "topic_post_count") + expect(topic_post_count).to eq(nil) + end + it "includes all post types for staff members" do SiteSetting.whispers_allowed_groups = "#{Group::AUTO_GROUPS[:staff]}" sign_in(admin)