From 3b86dee520204abe0ed85c4013c99468e1cd6470 Mon Sep 17 00:00:00 2001 From: Osama Sayegh Date: Tue, 2 Apr 2024 16:26:15 +0300 Subject: [PATCH] FIX: Don't allow access to plugin page if plugin is not visible (#26431) Plugins that are hidden or disabled aren't shown in the plugins list at `/admin/plugins` because they cannot be changed. However, the `#show` route doesn't check for the plugin's state and responds with 200 and the plugin's info even if the plugin is hidden or disabled. This commit makes the `#show` route respond with 404 if the plugin is hidden or disabled. --- app/controllers/admin/plugins_controller.rb | 2 +- spec/requests/admin/plugins_controller_spec.rb | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/controllers/admin/plugins_controller.rb b/app/controllers/admin/plugins_controller.rb index 215331f3199..220543c88ab 100644 --- a/app/controllers/admin/plugins_controller.rb +++ b/app/controllers/admin/plugins_controller.rb @@ -16,7 +16,7 @@ class Admin::PluginsController < Admin::StaffController # version of their plugin name for a route. plugin = Discourse.plugins_by_name["discourse-#{params[:plugin_id]}"] if !plugin - raise Discourse::NotFound if !plugin + raise Discourse::NotFound if !plugin&.visible? render_serialized(plugin, AdminPluginSerializer, root: nil) end diff --git a/spec/requests/admin/plugins_controller_spec.rb b/spec/requests/admin/plugins_controller_spec.rb index e5edfdc8263..021c4d066c4 100644 --- a/spec/requests/admin/plugins_controller_spec.rb +++ b/spec/requests/admin/plugins_controller_spec.rb @@ -77,6 +77,14 @@ RSpec.describe Admin::PluginsController do expect(response.status).to eq(404) expect(response.parsed_body["errors"]).to include(I18n.t("not_found")) end + + it "404s if the plugin is not visible" do + poll = Discourse.plugins_by_name["poll"] + poll.stubs(:visible?).returns(false) + + get "/admin/plugins/poll.json" + expect(response.status).to eq(404) + end end context "when logged in as a moderator" do