FIX: Restrict mods from seeing Subscriptions admin features (#70)

As reported [on Meta](https://meta.discourse.org/t/discourse-subscriptions/140818/352?u=justin), moderators could access all of the subscriptions data (plugins/prices/subscribers) and manage them. This should not be the case, so this PR adds a route constraint to 404 moderators from these routes.
This commit is contained in:
Justin DiRose 2021-06-08 17:24:13 -05:00 committed by GitHub
parent 791c7fa7a5
commit 227c55e6f5
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 11 additions and 11 deletions

View File

@ -8,7 +8,7 @@ DiscourseSubscriptions::Engine.routes.draw do
post '/create-campaign' => 'admin#create_campaign' post '/create-campaign' => 'admin#create_campaign'
end end
namespace :admin do namespace :admin, constraints: AdminConstraint.new do
resources :plans resources :plans
resources :subscriptions, only: [:index, :destroy] resources :subscriptions, only: [:index, :destroy]
resources :products resources :products

View File

@ -12,7 +12,7 @@ module DiscourseSubscriptions
it "does nothing" do it "does nothing" do
::Stripe::PromotionCode.expects(:list).never ::Stripe::PromotionCode.expects(:list).never
get "/s/admin/coupons.json" get "/s/admin/coupons.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
end end

View File

@ -18,7 +18,7 @@ module DiscourseSubscriptions
it "not ok" do it "not ok" do
get "/s/admin/plans.json" get "/s/admin/plans.json"
expect(response.status).to eq 403 expect(response.status).to eq 404
end end
end end
@ -30,7 +30,7 @@ module DiscourseSubscriptions
it "is not ok" do it "is not ok" do
post "/s/admin/plans.json", params: { name: 'Rick Astley', amount: 1, interval: 'week' } post "/s/admin/plans.json", params: { name: 'Rick Astley', amount: 1, interval: 'week' }
expect(response.status).to eq 403 expect(response.status).to eq 404
end end
end end
@ -42,7 +42,7 @@ module DiscourseSubscriptions
it "is not ok" do it "is not ok" do
get "/s/admin/plans/plan_12345.json" get "/s/admin/plans/plan_12345.json"
expect(response.status).to eq 403 expect(response.status).to eq 404
end end
end end

View File

@ -13,31 +13,31 @@ module DiscourseSubscriptions
it "does not list the products" do it "does not list the products" do
::Stripe::Product.expects(:list).never ::Stripe::Product.expects(:list).never
get "/s/admin/products.json" get "/s/admin/products.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
it "does not create the product" do it "does not create the product" do
::Stripe::Product.expects(:create).never ::Stripe::Product.expects(:create).never
post "/s/admin/products.json" post "/s/admin/products.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
it "does not show the product" do it "does not show the product" do
::Stripe::Product.expects(:retrieve).never ::Stripe::Product.expects(:retrieve).never
get "/s/admin/products/prod_qwerty123.json" get "/s/admin/products/prod_qwerty123.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
it "does not update the product" do it "does not update the product" do
::Stripe::Product.expects(:update).never ::Stripe::Product.expects(:update).never
put "/s/admin/products/prod_qwerty123.json" put "/s/admin/products/prod_qwerty123.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
it "does not delete the product" do it "does not delete the product" do
::Stripe::Product.expects(:delete).never ::Stripe::Product.expects(:delete).never
delete "/s/admin/products/u2.json" delete "/s/admin/products/u2.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
end end

View File

@ -20,7 +20,7 @@ module DiscourseSubscriptions
it "does nothing" do it "does nothing" do
::Stripe::Subscription.expects(:list).never ::Stripe::Subscription.expects(:list).never
get "/s/admin/subscriptions.json" get "/s/admin/subscriptions.json"
expect(response.status).to eq(403) expect(response.status).to eq(404)
end end
it "does not destroy a subscription" do it "does not destroy a subscription" do