fix exploit for viewing private dmails

2016-12-06 14:34:46 -08:00 · 2016-12-06 14:34:46 -08:00 · 4eb0a64135
commit 4eb0a64135
parent deb62e0cdb
2 changed files with 10 additions and 1 deletions
--- a/app/controllers/dmails_controller.rb
+++ b/app/controllers/dmails_controller.rb
@ -5,7 +5,9 @@ class DmailsController < ApplicationController

  def new
    if params[:respond_to_id]
-      @dmail = Dmail.find(params[:respond_to_id]).build_response(:forward => params[:forward])
+      parent = Dmail.find(params[:respond_to_id])
+      check_privilege(parent)
+      @dmail = parent.build_response(:forward => params[:forward])
    else
      @dmail = Dmail.new(params[:dmail])
    end
@ -58,6 +60,7 @@ class DmailsController < ApplicationController
  end

 private
+
  def check_privilege(dmail)
    if !dmail.visible_to?(CurrentUser.user, params[:key])
      raise User::PrivilegeError
--- a/test/functional/dmails_controller_test.rb
+++ b/test/functional/dmails_controller_test.rb
@ -22,6 +22,12 @@ class DmailsControllerTest < ActionController::TestCase
      end

      context "with a respond_to_id" do
+        should "check privileges" do
+          @user2 = FactoryGirl.create(:user)
+          get :new, {:respond_to_id => @dmail}, {:user_id => @user2.id}
+          assert_response 403
+        end
+
        should "prefill the fields" do
          get :new, {:respond_to_id => @dmail}, {:user_id => @user.id}
          assert_response :success