From ae1e536e83940d58f1c79b835c75c249121c46b6 Mon Sep 17 00:00:00 2001
From: Jarek Radosz <jradosz@gmail.com>
Date: Thu, 29 Sep 2022 20:00:20 +0200
Subject: [PATCH] SECURITY: moderator shouldn't be able to import a theme via
 API (#18418)

* SECURITY: moderator shouldn't be able to import a theme via API.
* DEV: apply `AdminConstraint` for all the "themes" routes.

Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>
---
 app/controllers/admin/themes_controller.rb    |  1 +
 config/routes.rb                              | 18 +++++++++++-------
 spec/requests/admin/themes_controller_spec.rb |  7 +++++++
 3 files changed, 19 insertions(+), 7 deletions(-)

diff --git a/app/controllers/admin/themes_controller.rb b/app/controllers/admin/themes_controller.rb
index c22228ab6fe..49da3418fac 100644
--- a/app/controllers/admin/themes_controller.rb
+++ b/app/controllers/admin/themes_controller.rb
@@ -5,6 +5,7 @@ require 'base64'
 class Admin::ThemesController < Admin::AdminController
 
   skip_before_action :check_xhr, only: [:show, :preview, :export]
+  before_action :ensure_admin
 
   def preview
     theme = Theme.find_by(id: params[:id])
diff --git a/config/routes.rb b/config/routes.rb
index 7bd9ae757d3..0b1931aaeb9 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -206,13 +206,17 @@ Discourse::Application.routes.draw do
       get "customize/embedding" => "embedding#show", constraints: AdminConstraint.new
       put "customize/embedding" => "embedding#update", constraints: AdminConstraint.new
 
-      resources :themes, constraints: AdminConstraint.new
-
-      post "themes/import" => "themes#import"
-      post "themes/upload_asset" => "themes#upload_asset"
-      post "themes/generate_key_pair" => "themes#generate_key_pair"
-      get "themes/:id/preview" => "themes#preview"
-      put "themes/:id/setting" => "themes#update_single_setting"
+      resources :themes, constraints: AdminConstraint.new do
+        member do
+          get "preview" => "themes#preview"
+          put "setting" => "themes#update_single_setting"
+        end
+        collection do
+          post "import" => "themes#import"
+          post "upload_asset" => "themes#upload_asset"
+          post "generate_key_pair" => "themes#generate_key_pair"
+        end
+      end
 
       scope "/customize", constraints: AdminConstraint.new do
         resources :user_fields, constraints: AdminConstraint.new
diff --git a/spec/requests/admin/themes_controller_spec.rb b/spec/requests/admin/themes_controller_spec.rb
index 70e06609e4b..1fc23f2abb9 100644
--- a/spec/requests/admin/themes_controller_spec.rb
+++ b/spec/requests/admin/themes_controller_spec.rb
@@ -160,6 +160,13 @@ RSpec.describe Admin::ThemesController do
       expect(response.status).to eq(201)
     end
 
+    it 'should not be able to import a theme by moderator' do
+      sign_in(Fabricate(:moderator))
+
+      post "/admin/themes/import.json", params: { theme: theme_json_file }
+      expect(response.status).to eq(404)
+    end
+
     it 'imports a theme' do
       post "/admin/themes/import.json", params: { theme: theme_json_file }
       expect(response.status).to eq(201)