Ensure mail privacy in message reply and show view.

Thanks to @JuliusR for reporting.
This commit is contained in:
Benjamin Meichsner 2013-03-24 01:36:50 +01:00
parent da72d3a61c
commit 18f6cadca2
2 changed files with 16 additions and 6 deletions

View file

@ -8,6 +8,9 @@ class MessagesController < ApplicationController
# Creates a new message object. # Creates a new message object.
def new def new
@message = Message.new(params[:message]) @message = Message.new(params[:message])
if @message.reply_to and not @message.reply_to.is_readable_for?(current_user)
redirect_to new_message_url, alert: 'Nachricht ist privat!'
end
end end
# Creates a new message. # Creates a new message.
@ -24,5 +27,8 @@ class MessagesController < ApplicationController
# Shows a single message. # Shows a single message.
def show def show
@message = Message.find(params[:id]) @message = Message.find(params[:id])
unless @message.is_readable_for?(current_user)
redirect_to messages_url, alert: 'Nachricht ist privat!'
end
end end
end end

View file

@ -2,7 +2,7 @@ class Message < ActiveRecord::Base
belongs_to :sender, :class_name => "User", :foreign_key => "sender_id" belongs_to :sender, :class_name => "User", :foreign_key => "sender_id"
serialize :recipients_ids, Array serialize :recipients_ids, Array
attr_accessor :sent_to_all, :group_id, :recipient_tokens attr_accessor :sent_to_all, :group_id, :recipient_tokens, :reply_to
scope :pending, where(:email_state => 0) scope :pending, where(:email_state => 0)
scope :sent, where(:email_state => 1) scope :sent, where(:email_state => 1)
@ -46,11 +46,11 @@ class Message < ActiveRecord::Base
end end
def reply_to=(message_id) def reply_to=(message_id)
message = Message.find(message_id) @reply_to = Message.find(message_id)
add_recipients([message.sender]) add_recipients([@reply_to.sender])
self.subject = "Re: #{message.subject}" self.subject = "Re: #{@reply_to.subject}"
self.body = "#{message.sender.nick} schrieb am #{I18n.l(message.created_at, :format => :short)}:\n" self.body = "#{@reply_to.sender.nick} schrieb am #{I18n.l(@reply_to.created_at, :format => :short)}:\n"
message.body.each_line{ |l| self.body += "> #{l}" } @reply_to.body.each_line{ |l| self.body += "> #{l}" }
end end
def mail_to=(user_id) def mail_to=(user_id)
@ -83,6 +83,10 @@ class Message < ActiveRecord::Base
end end
update_attribute(:email_state, 1) update_attribute(:email_state, 1)
end end
def is_readable_for?(user)
!private || sender == user || recipients_ids.include?(user.id)
end
end end