From 831e2c8d1bf13cd944f5683980cfe95f59db2ae8 Mon Sep 17 00:00:00 2001
From: Jon Moss <me@jonathanmoss.me>
Date: Thu, 18 Feb 2016 12:31:04 -0500
Subject: Prevent invocation of channel action if rejected connection

Fixes #23757.

Before this commit, even if `reject` was called in the `subscribe`
method for an Action Cable channel, all actions on that channel could
still be invoked. This calls a `return` if a rejected connection tries
to invoke any actions on the channel.
---
 actioncable/lib/action_cable/channel/base.rb |  2 +-
 actioncable/test/channel/rejection_test.rb   | 15 +++++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

(limited to 'actioncable')

diff --git a/actioncable/lib/action_cable/channel/base.rb b/actioncable/lib/action_cable/channel/base.rb
index 8ab061171e..2e589a2cfa 100644
--- a/actioncable/lib/action_cable/channel/base.rb
+++ b/actioncable/lib/action_cable/channel/base.rb
@@ -247,7 +247,7 @@ module ActionCable
         end
 
         def processable_action?(action)
-          self.class.action_methods.include?(action.to_s)
+          self.class.action_methods.include?(action.to_s) unless subscription_rejected?
         end
 
         def dispatch_action(action, data)
diff --git a/actioncable/test/channel/rejection_test.rb b/actioncable/test/channel/rejection_test.rb
index 0d2ac1c129..faf35ad048 100644
--- a/actioncable/test/channel/rejection_test.rb
+++ b/actioncable/test/channel/rejection_test.rb
@@ -7,6 +7,9 @@ class ActionCable::Channel::RejectionTest < ActiveSupport::TestCase
     def subscribed
       reject if params[:id] > 0
     end
+
+    def secret_action
+    end
   end
 
   setup do
@@ -21,4 +24,16 @@ class ActionCable::Channel::RejectionTest < ActiveSupport::TestCase
     expected = { "identifier" => "{id: 1}", "type" => "reject_subscription" }
     assert_equal expected, @connection.last_transmission
   end
+
+  test "does not execute action if subscription is rejected" do
+    @connection.expects(:subscriptions).returns mock().tap { |m| m.expects(:remove_subscription).with instance_of(SecretChannel) }
+    @channel = SecretChannel.new @connection, "{id: 1}", id: 1
+
+    expected = { "identifier" => "{id: 1}", "type" => "reject_subscription" }
+    assert_equal expected, @connection.last_transmission
+    assert_equal 1, @connection.transmissions.size
+
+    @channel.perform_action("action" => :secret_action)
+    assert_equal 1, @connection.transmissions.size
+  end
 end
-- 
cgit v1.2.3