FIX: Don't allow access to plugin page if plugin is not visible (#26431)
Plugins that are hidden or disabled aren't shown in the plugins list at `/admin/plugins` because they cannot be changed. However, the `#show` route doesn't check for the plugin's state and responds with 200 and the plugin's info even if the plugin is hidden or disabled. This commit makes the `#show` route respond with 404 if the plugin is hidden or disabled.
This commit is contained in:
parent
50caef6783
commit
3b86dee520
|
@ -16,7 +16,7 @@ class Admin::PluginsController < Admin::StaffController
|
||||||
# version of their plugin name for a route.
|
# version of their plugin name for a route.
|
||||||
plugin = Discourse.plugins_by_name["discourse-#{params[:plugin_id]}"] if !plugin
|
plugin = Discourse.plugins_by_name["discourse-#{params[:plugin_id]}"] if !plugin
|
||||||
|
|
||||||
raise Discourse::NotFound if !plugin
|
raise Discourse::NotFound if !plugin&.visible?
|
||||||
|
|
||||||
render_serialized(plugin, AdminPluginSerializer, root: nil)
|
render_serialized(plugin, AdminPluginSerializer, root: nil)
|
||||||
end
|
end
|
||||||
|
|
|
@ -77,6 +77,14 @@ RSpec.describe Admin::PluginsController do
|
||||||
expect(response.status).to eq(404)
|
expect(response.status).to eq(404)
|
||||||
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
|
expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
|
||||||
end
|
end
|
||||||
|
|
||||||
|
it "404s if the plugin is not visible" do
|
||||||
|
poll = Discourse.plugins_by_name["poll"]
|
||||||
|
poll.stubs(:visible?).returns(false)
|
||||||
|
|
||||||
|
get "/admin/plugins/poll.json"
|
||||||
|
expect(response.status).to eq(404)
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
context "when logged in as a moderator" do
|
context "when logged in as a moderator" do
|
||||||
|
|
Loading…
Reference in New Issue