mirror of
https://github.com/discourse/discourse.git
synced 2024-12-05 11:33:43 +08:00
SECURITY: Do not allow unauthorized access to category edit UI (#13252)
This commit is contained in:
parent
5f5301d478
commit
7d06980cc5
|
@ -11,6 +11,13 @@ export default DiscourseRoute.extend({
|
|||
);
|
||||
},
|
||||
|
||||
afterModel(model) {
|
||||
if (!model.can_edit) {
|
||||
this.replaceWith("/404");
|
||||
return;
|
||||
}
|
||||
},
|
||||
|
||||
titleToken() {
|
||||
return I18n.t("category.edit_dialog_title", {
|
||||
categoryName: this.currentModel.name,
|
||||
|
|
|
@ -126,3 +126,26 @@ acceptance("Category Edit", function (needs) {
|
|||
);
|
||||
});
|
||||
});
|
||||
|
||||
acceptance("Category Edit - no permission to edit", function (needs) {
|
||||
needs.user();
|
||||
needs.pretender((server, helper) => {
|
||||
server.get("/c/bug/find_by_slug.json", () => {
|
||||
return helper.response(200, {
|
||||
category: {
|
||||
id: 1,
|
||||
name: "bug",
|
||||
color: "e9dd00",
|
||||
text_color: "000000",
|
||||
slug: "bug",
|
||||
can_edit: false,
|
||||
},
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
test("returns 404", async function (assert) {
|
||||
await visit("/c/bug/edit");
|
||||
assert.equal(currentURL(), "/404");
|
||||
});
|
||||
});
|
||||
|
|
|
@ -45,7 +45,8 @@ export default {
|
|||
name: "testing",
|
||||
color: "0088CC",
|
||||
text_color: "FFFFFF",
|
||||
slug: "testing"
|
||||
slug: "testing",
|
||||
can_edit: true
|
||||
}
|
||||
}
|
||||
};
|
||||
|
|
|
@ -45,6 +45,10 @@ class CategorySerializer < SiteCategorySerializer
|
|||
end
|
||||
end
|
||||
|
||||
def include_available_groups?
|
||||
scope && scope.can_edit?(object)
|
||||
end
|
||||
|
||||
def available_groups
|
||||
Group.order(:name).pluck(:name) - group_permissions.map { |g| g[:group_name] }
|
||||
end
|
||||
|
|
|
@ -43,4 +43,19 @@ describe CategorySerializer do
|
|||
expect(json[:notification_level]).to eq(NotificationLevels.all[:watching])
|
||||
end
|
||||
end
|
||||
|
||||
describe "available groups" do
|
||||
fab!(:user) { Fabricate(:user) }
|
||||
fab!(:admin) { Fabricate(:admin) }
|
||||
|
||||
it "not included for a regular user" do
|
||||
json = described_class.new(category, scope: Guardian.new(user), root: false).as_json
|
||||
expect(json[:available_groups]).to eq(nil)
|
||||
end
|
||||
|
||||
it "included for an admin" do
|
||||
json = described_class.new(category, scope: Guardian.new(admin), root: false).as_json
|
||||
expect(json[:available_groups]).to eq(Group.order(:name).pluck(:name) - ['everyone'])
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user