FIX: show 404 on new category page for moderators when Site Setting disabled (#21448)

Currently the /new-category url can be accessed by moderators, regardless of whether the Site Setting for moderators_manage_categories_and_groups is true or false.

On top of this, non authorized users can also access this page but shows errors (no 404 loaded).

Since the 404 redirect happens within Ember, we need to allow the site setting value to be accessed within JS. 

After this change all non admin users will see a 404 for this route, the exception being moderators if the moderators_manage_categories_and_groups setting has a value of true.

/t/73360
This commit is contained in:
David Battersby 2023-05-10 14:26:49 +08:00 committed by GitHub
parent 5d8632d484
commit a19027afae
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 45 additions and 1 deletions

View File

@ -12,6 +12,21 @@ export function setNewCategoryDefaultColors(backgroundColor, textColor) {
} }
export default DiscourseRoute.extend({ export default DiscourseRoute.extend({
beforeModel() {
if (!this.currentUser) {
this.replaceWith("/404");
return;
}
if (!this.currentUser.admin) {
if (
!this.currentUser.moderator ||
this.siteSettings.moderators_manage_categories_and_groups === false
) {
this.replaceWith("/404");
}
}
},
model() { model() {
return Promise.resolve(this.groupPermissions()) return Promise.resolve(this.groupPermissions())
.then((permissions) => { .then((permissions) => {

View File

@ -10,6 +10,33 @@ import sinon from "sinon";
import { test } from "qunit"; import { test } from "qunit";
import selectKit from "discourse/tests/helpers/select-kit-helper"; import selectKit from "discourse/tests/helpers/select-kit-helper";
acceptance("New category access for moderators", function (needs) {
needs.user({ moderator: true, admin: false, trust_level: 1 });
test("Authorizes access based on site setting", async function (assert) {
this.siteSettings.moderators_manage_categories_and_groups = false;
await visit("/new-category");
assert.strictEqual(currentURL(), "/404");
this.siteSettings.moderators_manage_categories_and_groups = true;
await visit("/new-category");
assert.strictEqual(
currentURL(),
"/new-category",
"it allows access to new category when site setting is enabled"
);
});
});
acceptance("New category access for non authorized users", function () {
test("Prevents access when not signed in", async function (assert) {
await visit("/new-category");
assert.strictEqual(currentURL(), "/404");
});
});
acceptance("Category New", function (needs) { acceptance("Category New", function (needs) {
needs.user(); needs.user();

View File

@ -1708,7 +1708,9 @@ security:
allow_indexing_non_canonical_urls: allow_indexing_non_canonical_urls:
default: true default: true
hidden: true hidden: true
moderators_manage_categories_and_groups: false moderators_manage_categories_and_groups:
default: false
client: true
moderators_change_post_ownership: moderators_change_post_ownership:
client: true client: true
default: false default: false