mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 07:30:16 +08:00
FIX: show 404 on new category page for moderators when Site Setting disabled (#21448)
Currently the /new-category url can be accessed by moderators, regardless of whether the Site Setting for moderators_manage_categories_and_groups is true or false. On top of this, non authorized users can also access this page but shows errors (no 404 loaded). Since the 404 redirect happens within Ember, we need to allow the site setting value to be accessed within JS. After this change all non admin users will see a 404 for this route, the exception being moderators if the moderators_manage_categories_and_groups setting has a value of true. /t/73360
This commit is contained in:
parent
5d8632d484
commit
a19027afae
|
@ -12,6 +12,21 @@ export function setNewCategoryDefaultColors(backgroundColor, textColor) {
|
||||||
}
|
}
|
||||||
|
|
||||||
export default DiscourseRoute.extend({
|
export default DiscourseRoute.extend({
|
||||||
|
beforeModel() {
|
||||||
|
if (!this.currentUser) {
|
||||||
|
this.replaceWith("/404");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
if (!this.currentUser.admin) {
|
||||||
|
if (
|
||||||
|
!this.currentUser.moderator ||
|
||||||
|
this.siteSettings.moderators_manage_categories_and_groups === false
|
||||||
|
) {
|
||||||
|
this.replaceWith("/404");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
|
||||||
model() {
|
model() {
|
||||||
return Promise.resolve(this.groupPermissions())
|
return Promise.resolve(this.groupPermissions())
|
||||||
.then((permissions) => {
|
.then((permissions) => {
|
||||||
|
|
|
@ -10,6 +10,33 @@ import sinon from "sinon";
|
||||||
import { test } from "qunit";
|
import { test } from "qunit";
|
||||||
import selectKit from "discourse/tests/helpers/select-kit-helper";
|
import selectKit from "discourse/tests/helpers/select-kit-helper";
|
||||||
|
|
||||||
|
acceptance("New category access for moderators", function (needs) {
|
||||||
|
needs.user({ moderator: true, admin: false, trust_level: 1 });
|
||||||
|
|
||||||
|
test("Authorizes access based on site setting", async function (assert) {
|
||||||
|
this.siteSettings.moderators_manage_categories_and_groups = false;
|
||||||
|
await visit("/new-category");
|
||||||
|
|
||||||
|
assert.strictEqual(currentURL(), "/404");
|
||||||
|
|
||||||
|
this.siteSettings.moderators_manage_categories_and_groups = true;
|
||||||
|
await visit("/new-category");
|
||||||
|
|
||||||
|
assert.strictEqual(
|
||||||
|
currentURL(),
|
||||||
|
"/new-category",
|
||||||
|
"it allows access to new category when site setting is enabled"
|
||||||
|
);
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
|
acceptance("New category access for non authorized users", function () {
|
||||||
|
test("Prevents access when not signed in", async function (assert) {
|
||||||
|
await visit("/new-category");
|
||||||
|
assert.strictEqual(currentURL(), "/404");
|
||||||
|
});
|
||||||
|
});
|
||||||
|
|
||||||
acceptance("Category New", function (needs) {
|
acceptance("Category New", function (needs) {
|
||||||
needs.user();
|
needs.user();
|
||||||
|
|
||||||
|
|
|
@ -1708,7 +1708,9 @@ security:
|
||||||
allow_indexing_non_canonical_urls:
|
allow_indexing_non_canonical_urls:
|
||||||
default: true
|
default: true
|
||||||
hidden: true
|
hidden: true
|
||||||
moderators_manage_categories_and_groups: false
|
moderators_manage_categories_and_groups:
|
||||||
|
default: false
|
||||||
|
client: true
|
||||||
moderators_change_post_ownership:
|
moderators_change_post_ownership:
|
||||||
client: true
|
client: true
|
||||||
default: false
|
default: false
|
||||||
|
|
Loading…
Reference in New Issue
Block a user