FIX: Only users who can see a topic may change keys.

FIX: Only users who can see a topic may change keys.

From cc7ff49f3c03d81af5c73ddf83a08c7257ab1872 Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Tue, 4 Dec 2018 18:25:27 +0200
Subject: [PATCH] FIX: Only users who can see a topic may change keys.


diff --git a/plugin.rb b/plugin.rb
index e9024ef..4bf3b27 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -86,18 +86,20 @@ after_initialize do
       #               This parameter is optional when editing a topic's title.
       def put_topickeys
         topic_id = params.require(:topic_id)
-        title = params[:title]
-        keys = params[:keys]
 
-        if title
-          # Title may be missing when inviting new users into conversation.
-          topic = Topic.find_by(id: topic_id)
+        topic = Topic.find_by(id: topic_id)
+        if !Guardian.new(current_user).can_see_topic?(topic)
+          return render json: failed_json
+        end
+
+        if title = params[:title]
+          # Title may be missing when inviting new users into topic.
           topic.custom_fields["encrypted_title"] = title
           topic.save!
         end
 
-        if keys
-          # Keys may be missing when editing a conversation.
+        if keys = params[:keys]
+          # Keys may be missing when editing a topic.
           users = Hash[User.where(username: keys.keys).map { |u| [u.username, u] }]
           keys.each { |u, k| Store.set("key_#{topic_id}_#{users[u].id}", k) }
         end

GitHub

Is there a test for this?

1 Like

Not yet. :frowning:

I will be doing one today.

1 Like

I think you sorted out a test here right?

1 Like

Yes.

1 Like