mirror of
https://github.com/discourse/discourse.git
synced 2024-11-26 13:03:39 +08:00
FIX: tag groups page should only be visible to staff
No security concern here because nothing private was visible, and no actions could be taken by non-staff users.
This commit is contained in:
parent
fb9e3e6423
commit
6f1b8ad16d
|
@ -1,5 +1,7 @@
|
|||
class TagGroupsController < ApplicationController
|
||||
requires_login except: [:index, :show]
|
||||
|
||||
requires_login
|
||||
before_action :ensure_staff
|
||||
|
||||
skip_before_action :check_xhr, only: [:index, :show]
|
||||
before_action :fetch_tag_group, only: [:show, :update, :destroy]
|
||||
|
|
|
@ -793,7 +793,7 @@ Discourse::Application.routes.draw do
|
|||
end
|
||||
end
|
||||
|
||||
resources :tag_groups, except: [:new, :edit] do
|
||||
resources :tag_groups, constraints: StaffConstraint.new, except: [:new, :edit] do
|
||||
collection do
|
||||
get '/filter/search' => 'tag_groups#search'
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user