FIX: Restrict mods from seeing Subscriptions admin features (#70)
As reported [on Meta](https://meta.discourse.org/t/discourse-subscriptions/140818/352?u=justin), moderators could access all of the subscriptions data (plugins/prices/subscribers) and manage them. This should not be the case, so this PR adds a route constraint to 404 moderators from these routes.
This commit is contained in:
parent
791c7fa7a5
commit
227c55e6f5
|
@ -8,7 +8,7 @@ DiscourseSubscriptions::Engine.routes.draw do
|
||||||
post '/create-campaign' => 'admin#create_campaign'
|
post '/create-campaign' => 'admin#create_campaign'
|
||||||
end
|
end
|
||||||
|
|
||||||
namespace :admin do
|
namespace :admin, constraints: AdminConstraint.new do
|
||||||
resources :plans
|
resources :plans
|
||||||
resources :subscriptions, only: [:index, :destroy]
|
resources :subscriptions, only: [:index, :destroy]
|
||||||
resources :products
|
resources :products
|
||||||
|
|
|
@ -12,7 +12,7 @@ module DiscourseSubscriptions
|
||||||
it "does nothing" do
|
it "does nothing" do
|
||||||
::Stripe::PromotionCode.expects(:list).never
|
::Stripe::PromotionCode.expects(:list).never
|
||||||
get "/s/admin/coupons.json"
|
get "/s/admin/coupons.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -18,7 +18,7 @@ module DiscourseSubscriptions
|
||||||
|
|
||||||
it "not ok" do
|
it "not ok" do
|
||||||
get "/s/admin/plans.json"
|
get "/s/admin/plans.json"
|
||||||
expect(response.status).to eq 403
|
expect(response.status).to eq 404
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -30,7 +30,7 @@ module DiscourseSubscriptions
|
||||||
|
|
||||||
it "is not ok" do
|
it "is not ok" do
|
||||||
post "/s/admin/plans.json", params: { name: 'Rick Astley', amount: 1, interval: 'week' }
|
post "/s/admin/plans.json", params: { name: 'Rick Astley', amount: 1, interval: 'week' }
|
||||||
expect(response.status).to eq 403
|
expect(response.status).to eq 404
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -42,7 +42,7 @@ module DiscourseSubscriptions
|
||||||
|
|
||||||
it "is not ok" do
|
it "is not ok" do
|
||||||
get "/s/admin/plans/plan_12345.json"
|
get "/s/admin/plans/plan_12345.json"
|
||||||
expect(response.status).to eq 403
|
expect(response.status).to eq 404
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -13,31 +13,31 @@ module DiscourseSubscriptions
|
||||||
it "does not list the products" do
|
it "does not list the products" do
|
||||||
::Stripe::Product.expects(:list).never
|
::Stripe::Product.expects(:list).never
|
||||||
get "/s/admin/products.json"
|
get "/s/admin/products.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "does not create the product" do
|
it "does not create the product" do
|
||||||
::Stripe::Product.expects(:create).never
|
::Stripe::Product.expects(:create).never
|
||||||
post "/s/admin/products.json"
|
post "/s/admin/products.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "does not show the product" do
|
it "does not show the product" do
|
||||||
::Stripe::Product.expects(:retrieve).never
|
::Stripe::Product.expects(:retrieve).never
|
||||||
get "/s/admin/products/prod_qwerty123.json"
|
get "/s/admin/products/prod_qwerty123.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "does not update the product" do
|
it "does not update the product" do
|
||||||
::Stripe::Product.expects(:update).never
|
::Stripe::Product.expects(:update).never
|
||||||
put "/s/admin/products/prod_qwerty123.json"
|
put "/s/admin/products/prod_qwerty123.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "does not delete the product" do
|
it "does not delete the product" do
|
||||||
::Stripe::Product.expects(:delete).never
|
::Stripe::Product.expects(:delete).never
|
||||||
delete "/s/admin/products/u2.json"
|
delete "/s/admin/products/u2.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -20,7 +20,7 @@ module DiscourseSubscriptions
|
||||||
it "does nothing" do
|
it "does nothing" do
|
||||||
::Stripe::Subscription.expects(:list).never
|
::Stripe::Subscription.expects(:list).never
|
||||||
get "/s/admin/subscriptions.json"
|
get "/s/admin/subscriptions.json"
|
||||||
expect(response.status).to eq(403)
|
expect(response.status).to eq(404)
|
||||||
end
|
end
|
||||||
|
|
||||||
it "does not destroy a subscription" do
|
it "does not destroy a subscription" do
|
||||||
|
|
Loading…
Reference in New Issue