Headline
CVE-2023-38685: SECURITY: Hide restricted tags in noscript view · discourse/discourse@0736611
Discourse is an open source discussion platform. Prior to version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches, information about restricted-visibility topic tags could be obtained by unauthorized users. The issue is patched in version 3.0.6 of the stable branch and version 3.1.0.beta7 of the beta and tests-passed branches.
Expand Up @@ -195,6 +195,28 @@
expect(new_sql_queries_count).to be <= initial_sql_queries_count end
context “with topics with tags” do let(:tag_group) { Fabricate.build(:tag_group) } let(:tag_group_permission) { Fabricate.build(:tag_group_permission, tag_group: tag_group) } let(:restricted_tag) { Fabricate(:tag) } let(:public_tag) { Fabricate(:tag) }
before do tag_group.tag_group_permissions << tag_group_permission tag_group.save! tag_group_permission.tag_group.tags << restricted_tag topic.tags << [public_tag, restricted_tag] end
it “does not show hidden tags” do get “/latest”
expect(response.status).to eq(200) expect(response.body).to include(public_tag.name) expect(response.body).not_to include(restricted_tag.name) end end end
describe “categories and X” do Expand Down