SECURITY: Restrict message-bus access on login_required sites

SECURITY: Restrict message-bus access on login_required sites

diff --git a/app/assets/javascripts/discourse/initializers/message-bus.js.es6 b/app/assets/javascripts/discourse/initializers/message-bus.js.es6
index 6730825..960aaaa 100644
--- a/app/assets/javascripts/discourse/initializers/message-bus.js.es6
+++ b/app/assets/javascripts/discourse/initializers/message-bus.js.es6
@@ -34,6 +34,12 @@ export default {
 
     // we do not want to start anything till document is complete
     messageBus.stop();
+
+    if (siteSettings.login_required && !user) {
+      // Endpoint is not available in this case, so don't try
+      return;
+    }
+
     // jQuery ready is called on "interactive" we want "complete"
     // Possibly change to document.addEventListener('readystatechange',...
     // but would only stop a handful of interval, message bus being delayed by
diff --git a/config/initializers/004-message_bus.rb b/config/initializers/004-message_bus.rb
index 6897ba4..da12f03 100644
--- a/config/initializers/004-message_bus.rb
+++ b/config/initializers/004-message_bus.rb
@@ -45,6 +45,9 @@ def setup_message_bus_env(env)
       Discourse.warn_exception(e, message: "Unexpected error in Message Bus")
     end
     user_id = user && user.id
+
+    raise Discourse::InvalidAccess if !user_id && SiteSetting.login_required
+
     is_admin = !!(user && user.admin?)
     group_ids = if is_admin
       # special rule, admin is allowed access to all groups
diff --git a/spec/integration/message_bus_spec.rb b/spec/integration/message_bus_spec.rb
new file mode 100644
index 0000000..62db333
--- /dev/null
+++ b/spec/integration/message_bus_spec.rb
@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe 'message bus integration' do
+
+  it "allows anonymous requests to the messagebus" do
+    post "/message-bus/poll"
+    expect(response.status).to eq(200)
+  end
+
+  it "allows authenticated requests to the messagebus" do
+    sign_in Fabricate(:user)
+    post "/message-bus/poll"
+    expect(response.status).to eq(200)
+  end
+
+  context "with login_required" do
+    before { SiteSetting.login_required = true }
+
+    it "blocks anonymous requests to the messagebus" do
+      post "/message-bus/poll"
+      expect(response.status).to eq(403)
+    end
+
+    it "allows authenticated requests to the messagebus" do
+      sign_in Fabricate(:user)
+      post "/message-bus/poll"
+      expect(response.status).to eq(200)
+    end
+  end
+
+end

GitHub sha: 92f2202e

1 Like