Prevent invocation of channel action if rejected connection

Fixes #23757. Before this commit, even if `reject` was called in the `subscribe` method for an Action Cable channel, all actions on that channel could still be invoked. This calls a `return` if a rejected connection tries to invoke any actions on the channel.
2022-11-09 12:12:34 -05:00 · 2016-02-18 12:31:04 -05:00 · 2016-02-18 12:31:04 -05:00 · 831e2c8d1b
commit 831e2c8d1b
parent c1d612cf5a
2 changed files with 16 additions and 1 deletions
--- a/actioncable/lib/action_cable/channel/base.rb
+++ b/actioncable/lib/action_cable/channel/base.rb
@ -247,7 +247,7 @@ module ActionCable
        end

        def processable_action?(action)
-          self.class.action_methods.include?(action.to_s)
+          self.class.action_methods.include?(action.to_s) unless subscription_rejected?
        end

        def dispatch_action(action, data)
--- a/actioncable/test/channel/rejection_test.rb
+++ b/actioncable/test/channel/rejection_test.rb
@ -7,6 +7,9 @@ class ActionCable::Channel::RejectionTest < ActiveSupport::TestCase
    def subscribed
      reject if params[:id] > 0
    end
+
+    def secret_action
+    end
  end

  setup do
@ -21,4 +24,16 @@ class ActionCable::Channel::RejectionTest < ActiveSupport::TestCase
    expected = { "identifier" => "{id: 1}", "type" => "reject_subscription" }
    assert_equal expected, @connection.last_transmission
  end
+
+  test "does not execute action if subscription is rejected" do
+    @connection.expects(:subscriptions).returns mock().tap { |m| m.expects(:remove_subscription).with instance_of(SecretChannel) }
+    @channel = SecretChannel.new @connection, "{id: 1}", id: 1
+
+    expected = { "identifier" => "{id: 1}", "type" => "reject_subscription" }
+    assert_equal expected, @connection.last_transmission
+    assert_equal 1, @connection.transmissions.size
+
+    @channel.perform_action("action" => :secret_action)
+    assert_equal 1, @connection.transmissions.size
+  end
 end