Fix moderator account being exposed in account moderation notification (#30082)

main-rebase-security-fix
Claire 2024-04-26 14:42:06 +02:00 committed by GitHub
parent 5201882a23
commit e845594878
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 13 additions and 2 deletions

View File

@ -184,13 +184,13 @@ class Notification < ApplicationRecord
return unless new_record?
case activity_type
when 'Status', 'Follow', 'Favourite', 'FollowRequest', 'Poll', 'Report', 'AccountWarning'
when 'Status', 'Follow', 'Favourite', 'FollowRequest', 'Poll', 'Report'
self.from_account_id = activity&.account_id
when 'Mention'
self.from_account_id = activity&.status&.account_id
when 'Account'
self.from_account_id = activity&.id
when 'AccountRelationshipSeveranceEvent'
when 'AccountRelationshipSeveranceEvent', 'AccountWarning'
# These do not really have an originating account, but this is mandatory
# in the data model, and the recipient's account will by definition
# always exist

View File

@ -138,6 +138,17 @@ RSpec.describe Notification do
expect(notification.account).to eq(account)
end
end
context 'when activity_type is an AccountWarning' do
it 'sets the notification from_account to the recipient of the notification' do
account = Fabricate(:account)
account_warning = Fabricate(:account_warning, target_account: account)
notification = Fabricate.build(:notification, activity_type: 'AccountWarning', activity: account_warning, account: account)
expect(notification.from_account).to eq(account)
end
end
end
describe '.preload_cache_collection_target_statuses' do