SECURITY: don't reveal category details to users that do not have access

SECURITY: don’t reveal category details to users that do not have access

diff --git a/app/controllers/categories_controller.rb b/app/controllers/categories_controller.rb
index 3ff059c..7741713 100644
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@@ -117,6 +117,8 @@ class CategoriesController < ApplicationController
   end
 
   def show
+    guardian.ensure_can_see!(@category)
+
     if Category.topic_create_allowed(guardian).where(id: @category.id).exists?
       @category.permission = CategoryGroup.permission_types[:full]
     end
diff --git a/spec/requests/categories_controller_spec.rb b/spec/requests/categories_controller_spec.rb
index cc69d5f..36072d0 100644
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@@ -188,6 +188,33 @@ describe CategoriesController do
     end
   end
 
+  context '#show' do
+    before do
+      category.set_permissions(admins: :full)
+      category.save!
+    end
+
+    it "requires the user to be logged in" do
+      get "/c/#{category.id}/show.json"
+      expect(response.status).to eq(403)
+    end
+
+    describe "logged in" do
+      it "raises an exception if they don't have permission to see it" do
+        admin.update!(admin: false)
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(403)
+      end
+
+      it "renders category for users that have permission" do
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
   context '#destroy' do
     it "requires the user to be logged in" do
       delete "/categories/category.json"

GitHub sha: 24f94c40

2 Likes