SECURITY: Do not allow unauthorized access to category edit UI (#13252)

This commit is contained in:
Penar Musaraj 2021-06-02 13:18:45 -04:00 committed by Neil Lalonde
parent 5f5301d478
commit 7d06980cc5
No known key found for this signature in database
GPG Key ID: FF871CA9037D0A91
5 changed files with 51 additions and 1 deletions

View File

@ -11,6 +11,13 @@ export default DiscourseRoute.extend({
);
},
afterModel(model) {
if (!model.can_edit) {
this.replaceWith("/404");
return;
}
},
titleToken() {
return I18n.t("category.edit_dialog_title", {
categoryName: this.currentModel.name,

View File

@ -126,3 +126,26 @@ acceptance("Category Edit", function (needs) {
);
});
});
acceptance("Category Edit - no permission to edit", function (needs) {
needs.user();
needs.pretender((server, helper) => {
server.get("/c/bug/find_by_slug.json", () => {
return helper.response(200, {
category: {
id: 1,
name: "bug",
color: "e9dd00",
text_color: "000000",
slug: "bug",
can_edit: false,
},
});
});
});
test("returns 404", async function (assert) {
await visit("/c/bug/edit");
assert.equal(currentURL(), "/404");
});
});

View File

@ -45,7 +45,8 @@ export default {
name: "testing",
color: "0088CC",
text_color: "FFFFFF",
slug: "testing"
slug: "testing",
can_edit: true
}
}
};

View File

@ -45,6 +45,10 @@ class CategorySerializer < SiteCategorySerializer
end
end
def include_available_groups?
scope && scope.can_edit?(object)
end
def available_groups
Group.order(:name).pluck(:name) - group_permissions.map { |g| g[:group_name] }
end

View File

@ -43,4 +43,19 @@ describe CategorySerializer do
expect(json[:notification_level]).to eq(NotificationLevels.all[:watching])
end
end
describe "available groups" do
fab!(:user) { Fabricate(:user) }
fab!(:admin) { Fabricate(:admin) }
it "not included for a regular user" do
json = described_class.new(category, scope: Guardian.new(user), root: false).as_json
expect(json[:available_groups]).to eq(nil)
end
it "included for an admin" do
json = described_class.new(category, scope: Guardian.new(admin), root: false).as_json
expect(json[:available_groups]).to eq(Group.order(:name).pluck(:name) - ['everyone'])
end
end
end