FIX: Don't allow access to plugin page if plugin is not visible (#26431)

Plugins that are hidden or disabled aren't shown in the plugins list at `/admin/plugins` because they cannot be changed. However, the `#show` route doesn't check for the plugin's state and responds with 200 and the plugin's info even if the plugin is hidden or disabled. This commit makes the `#show` route respond with 404 if the plugin is hidden or disabled.
This commit is contained in:
Osama Sayegh 2024-04-02 16:26:15 +03:00 committed by GitHub
parent 50caef6783
commit 3b86dee520
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 9 additions and 1 deletions

View File

@ -16,7 +16,7 @@ class Admin::PluginsController < Admin::StaffController
# version of their plugin name for a route. # version of their plugin name for a route.
plugin = Discourse.plugins_by_name["discourse-#{params[:plugin_id]}"] if !plugin plugin = Discourse.plugins_by_name["discourse-#{params[:plugin_id]}"] if !plugin
raise Discourse::NotFound if !plugin raise Discourse::NotFound if !plugin&.visible?
render_serialized(plugin, AdminPluginSerializer, root: nil) render_serialized(plugin, AdminPluginSerializer, root: nil)
end end

View File

@ -77,6 +77,14 @@ RSpec.describe Admin::PluginsController do
expect(response.status).to eq(404) expect(response.status).to eq(404)
expect(response.parsed_body["errors"]).to include(I18n.t("not_found")) expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
end end
it "404s if the plugin is not visible" do
poll = Discourse.plugins_by_name["poll"]
poll.stubs(:visible?).returns(false)
get "/admin/plugins/poll.json"
expect(response.status).to eq(404)
end
end end
context "when logged in as a moderator" do context "when logged in as a moderator" do