UX: show complete URL path if website domain is same as instance domain #5
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
cursor review |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
|
||
| def include_website_name | ||
| website.present? | ||
| end |
There was a problem hiding this comment.
Bug: Privacy Bypass: Derived Field Exposed
The include_website_name method doesn't check scope.restrict_user_fields?(object) like other untrusted attributes. This causes website_name to be visible for TL0 users viewed by anonymous users, even though website is properly hidden. Since website_name is derived from website, it should respect the same privacy restrictions.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Test 6
Replicated from ai-code-review-evaluation/discourse-cursor#6
Note
Adds server-computed website_name to user JSON and updates the profile header to use it, showing host or full path based on relation to the instance domain.
UserSerializer: addwebsite_namewith logic to return host or full path depending on instance domain; include only whenwebsiteis present.user_serializer_specto validatewebsite_namefor different domain scenarios; adjust website fixture to include path.templates/user/user.hbs: replacewebsiteNamewithmodel.website_namein the user header link/text.controllers/user.js.es6: removewebsiteNamecomputed property.models/user.js.es6: fix JSDoc tag forprofileBackground.Written by Cursor Bugbot for commit 267d8be. Configure here.