DEV: Improve tests coverage when listing private messages. (#14385)

DEV: Improve tests coverage when listing private messages. (#14385)

This is in response to the security incident published in https://github.com/discourse/discourse/security/advisories/GHSA-vm3x-w6jm-j9vv.

The security incident highlighted a gap in our test suite so we’re adding more test cases to ensure that personal and group messages do not leak between users in the future.

diff --git a/spec/lib/topic_query/private_message_lists_spec.rb b/spec/lib/topic_query/private_message_lists_spec.rb
index 681a4b8..a5108eb 100644
--- a/spec/lib/topic_query/private_message_lists_spec.rb
+++ b/spec/lib/topic_query/private_message_lists_spec.rb
@@ -5,6 +5,8 @@ require 'rails_helper'
 describe TopicQuery::PrivateMessageLists do
   fab!(:user) { Fabricate(:user) }
   fab!(:user_2) { Fabricate(:user) }
+  fab!(:user_3) { Fabricate(:user) }
+  fab!(:user_4) { Fabricate(:user) }
 
   fab!(:group) do
     Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
@@ -12,6 +14,12 @@ describe TopicQuery::PrivateMessageLists do
     end
   end
 
+  fab!(:group_2) do
+    Fabricate(:group, messageable_level: Group::ALIAS_LEVELS[:everyone]).tap do |g|
+      g.add(user_4)
+    end
+  end
+
   fab!(:group_message) do
     create_post(
       user: user,
@@ -20,6 +28,14 @@ describe TopicQuery::PrivateMessageLists do
     ).topic
   end
 
+  fab!(:group_message_2) do
+    create_post(
+      user: user_3,
+      target_group_names: [group_2.name],
+      archetype: Archetype.private_message
+    ).topic
+  end
+
   fab!(:private_message) do
     create_post(
       user: user,
@@ -337,4 +353,65 @@ describe TopicQuery::PrivateMessageLists do
         .to contain_exactly(pm_2)
     end
   end
+
+  describe '#private_messages_for' do
+    it 'returns a list of group private messages for a given user' do
+      expect(
+        TopicQuery
+          .new(user, group_name: group.name)
+          .private_messages_for(user, :group)
+      ).to eq([])
+
+      expect(
+        TopicQuery
+          .new(user_2, group_name: group.name)
+          .private_messages_for(user_2, :group)
+      ).to contain_exactly(group_message)
+
+      expect(
+        TopicQuery
+          .new(user_3, group_name: group_2.name)
+          .private_messages_for(user_3, :group)
+      ).to eq([])
+
+      expect(
+        TopicQuery
+          .new(user_4, group_name: group_2.name)
+          .private_messages_for(user_4, :group)
+      ).to contain_exactly(group_message_2)
+    end
+
+    it 'returns a list of personal private messages for a given user' do
+      expect(TopicQuery.new(user).private_messages_for(user, :user))
+        .to contain_exactly(private_message, group_message)
+
+      expect(TopicQuery.new(user_2).private_messages_for(user_2, :user))
+        .to contain_exactly(private_message)
+
+      expect(TopicQuery.new(user_3).private_messages_for(user_3, :user))
+        .to contain_exactly(group_message_2)
+
+      expect(TopicQuery.new(user_4).private_messages_for(user_4, :user))
+        .to eq([])
+    end
+
+    it 'returns a list of all private messages for a given user' do
+      expect(TopicQuery.new(user).private_messages_for(user, :all))
+        .to contain_exactly(private_message, group_message)
+
+      expect(TopicQuery.new(user_2).private_messages_for(user_2, :all))
+        .to contain_exactly(private_message, group_message)
+
+      expect(TopicQuery.new(user_3).private_messages_for(user_3, :all))
+        .to contain_exactly(group_message_2)
+
+      expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
+        .to contain_exactly(group_message_2)
+
+      group_2.remove(user_4)
+
+      expect(TopicQuery.new(user_4).private_messages_for(user_4, :all))
+        .to eq([])
+    end
+  end
 end

GitHub sha: 7a8b5cdd5c4466c73f77ca30bd28eca90d7ba0c2

This commit appears in #14385 which was approved by lis2 and eviltrout. It was merged by tgxworld.