Ensure mail privacy in message reply and show view.

Thanks to @JuliusR for reporting.
2013-03-24 01:36:50 +01:00 · 2013-03-24 01:36:50 +01:00 · 18f6cadca2
parent da72d3a61c
commit 18f6cadca2
2 changed files with 16 additions and 6 deletions
--- a/app/controllers/messages_controller.rb
+++ b/app/controllers/messages_controller.rb
@ -8,6 +8,9 @@ class MessagesController < ApplicationController
  # Creates a new message object.
  def new
    @message = Message.new(params[:message])
+    if @message.reply_to and not @message.reply_to.is_readable_for?(current_user)
+      redirect_to new_message_url, alert: 'Nachricht ist privat!'
+    end
  end

  # Creates a new message.
@ -24,5 +27,8 @@ class MessagesController < ApplicationController
  # Shows a single message.
  def show
    @message = Message.find(params[:id])
+    unless @message.is_readable_for?(current_user)
+      redirect_to messages_url, alert: 'Nachricht ist privat!'
+    end
  end
 end
--- a/app/models/message.rb
+++ b/app/models/message.rb
@ -2,7 +2,7 @@ class Message < ActiveRecord::Base
  belongs_to :sender, :class_name => "User", :foreign_key => "sender_id"

  serialize :recipients_ids, Array
-  attr_accessor :sent_to_all, :group_id, :recipient_tokens
+  attr_accessor :sent_to_all, :group_id, :recipient_tokens, :reply_to
  
  scope :pending, where(:email_state => 0)
  scope :sent, where(:email_state => 1)
@ -46,11 +46,11 @@ class Message < ActiveRecord::Base
  end

  def reply_to=(message_id)
-    message = Message.find(message_id)
-    add_recipients([message.sender])
-    self.subject = "Re: #{message.subject}"
-    self.body = "#{message.sender.nick} schrieb am #{I18n.l(message.created_at, :format => :short)}:\n"
-    message.body.each_line{ |l| self.body += "> #{l}" }
+    @reply_to = Message.find(message_id)
+    add_recipients([@reply_to.sender])
+    self.subject = "Re: #{@reply_to.subject}"
+    self.body = "#{@reply_to.sender.nick} schrieb am #{I18n.l(@reply_to.created_at, :format => :short)}:\n"
+    @reply_to.body.each_line{ |l| self.body += "> #{l}" }
  end

  def mail_to=(user_id)
@ -83,6 +83,10 @@ class Message < ActiveRecord::Base
    end
    update_attribute(:email_state, 1)
  end
+
+  def is_readable_for?(user)
+    !private || sender == user || recipients_ids.include?(user.id)
+  end
 end