FIX: Return proper status (403) when invalid access.

FIX: Return proper status (403) when invalid access.
From ac472fc1dfadd2fad9f1bc224b1716aac316eeef Mon Sep 17 00:00:00 2001
From: Dan Ungureanu <dan@ungureanu.me>
Date: Wed, 5 Dec 2018 10:56:13 +0200
Subject: [PATCH] FIX: Return proper status (403) when invalid access.


diff --git a/plugin.rb b/plugin.rb
index 00fb61d..35cd0d6 100644
--- a/plugin.rb
+++ b/plugin.rb
@@ -89,7 +89,7 @@ after_initialize do
 
         topic = Topic.find_by(id: topic_id)
         if !Guardian.new(current_user).can_see_topic?(topic)
-          return render json: failed_json
+          return render json: failed_json, status: 403
         end
 
         if title = params[:title]
@@ -117,7 +117,7 @@ after_initialize do
 
         topic = Topic.find_by(id: topic_id)
         if !Guardian.new(current_user).can_see_topic?(topic)
-          return render json: failed_json
+          return render json: failed_json, status: 403
         end
 
         users = User.where(username: usernames)
diff --git a/spec/requests/encrypt_controller_spec.rb b/spec/requests/encrypt_controller_spec.rb
index d7de995..75db55b 100644
--- a/spec/requests/encrypt_controller_spec.rb
+++ b/spec/requests/encrypt_controller_spec.rb
@@ -118,7 +118,24 @@ describe ::DiscourseEncrypt::EncryptController do
   end
 
   context '#topic_put' do
-    it 'does not work when logged in' do
+    it 'does not work when not logged in' do
+      put '/encrypt/topic', params: {
+        topic_id: topic.id,
+        title: '-- other encrypted title --',
+        keys: {
+          user: '-- other key of user --',
+          user2: '-- other key of user2 --'
+        }
+      }
+
+      expect(topic.custom_fields['encrypted_title']).to eq('-- the encrypted title --')
+      expect(store.get("key_#{topic.id}_#{user.id}")).to eq('-- the key of user --')
+      expect(store.get("key_#{topic.id}_#{user2.id}")).to eq('-- the key of user2 --')
+    end
+
+    it 'does not work for users who cannot see topic' do
+      sign_in(other_user)
+
       put '/encrypt/topic', params: {
         topic_id: topic.id,
         title: '-- other encrypted title --',
@@ -186,7 +203,17 @@ describe ::DiscourseEncrypt::EncryptController do
   end
 
   context '#topic_delete' do
-    it 'does not work when logged in' do
+    it 'does not work when not logged in' do
+      delete '/encrypt/topic', params: { topic_id: topic.id, usernames: [ 'user' ] }
+
+      expect(response.status).to eq(403)
+      expect(store.get("key_#{topic.id}_#{user.id}")).to eq('-- the key of user --')
+      expect(store.get("key_#{topic.id}_#{user2.id}")).to eq('-- the key of user2 --')
+    end
+
+    it 'does not work for users who cannot see topic' do
+      sign_in(other_user)
+
       delete '/encrypt/topic', params: { topic_id: topic.id, usernames: [ 'user' ] }
 
       expect(response.status).to eq(403)

GitHub

2 Likes