FIX: restrict other user's notification routes (PR #14442)

It was possible to see notifications of other users using routes:

  • notifications/responses
  • notifications/likes-received
  • notifications/mentions
  • notifications/edits

For example, on this page:

We weren’t showing anything private (like notifications about private messages), only things that’re publicly available in other places. But anyway, it feels strange that it’s possible to look at notifications of someone else. Additionally, there is a risk that we can unintentionally leak something on these pages in the future.

This PR restricts these routes, now users will be seeing this:

GitHub

    return true if @user.id == user.id || is_admin?

Was wondering if this might be better instead of trying to compare two User objects.

Minor but we cant rely on fab! to fabricate the admin user once and reuse across the tests.

      fab!(:another_user) { Fabricate(:user) }

Do we need to sign in a user here? Otherwise, this is actually testing that an anon user cannot see the route rather than another user cannot view the route.

That’ll be better, definitely. Also, we need to check here if user is anonymous.

Do we need to sign in a user here?

Yeah, we need it, thank you for catching it.

But we actually need to check anonymous users too, so I’ve added more test cases.

@tgxworld I’ve addressed all your comments.

@AndrewPrigorshnev Looks like the tests are failing but changes look good to me. Feel free to merge once the tests have been fixed.