Merge branch 'master' of github.com:discourse/discourse

2019-08-19 17:21:17 +10:00 · 2019-08-19 17:21:17 +10:00 · 47638ffea4
parent accbbded15 24f94c40a6
commit 47638ffea4
3 changed files with 36 additions and 12 deletions
--- a/app/assets/javascripts/discourse/models/nav-item.js.es6
+++ b/app/assets/javascripts/discourse/models/nav-item.js.es6
@ -101,18 +101,8 @@ const NavItem = Discourse.Model.extend({
 });

 const ExtraNavItem = NavItem.extend({
-  href: Ember.computed({
-    set(key, value) {
-      let customHref;
-      NavItem.customNavItemHrefs.forEach(function(cb) {
-        customHref = cb.call(this, this);
-        if (customHref) {
-          return false;
-        }
-      }, this);
-      return customHref || value;
-    }
-  }),
+  @computed("href")
+  href: href => href,

  customFilter: null
 });
@ -189,6 +179,11 @@ NavItem.reopenClass({
      return item.customFilter.call(this, category, args);
    });

+    extraItems.forEach(item => {
+      if (!item.customHref) return;
+      item.set("href", item.customHref.call(this, category, args));
+    });
+
    return items.concat(extraItems);
  }
 });
--- a/app/controllers/categories_controller.rb
+++ b/app/controllers/categories_controller.rb
@ -117,6 +117,8 @@ class CategoriesController < ApplicationController
  end

  def show
+    guardian.ensure_can_see!(@category)
+
    if Category.topic_create_allowed(guardian).where(id: @category.id).exists?
      @category.permission = CategoryGroup.permission_types[:full]
    end
--- a/spec/requests/categories_controller_spec.rb
+++ b/spec/requests/categories_controller_spec.rb
@ -188,6 +188,33 @@ describe CategoriesController do
    end
  end

+  context '#show' do
+    before do
+      category.set_permissions(admins: :full)
+      category.save!
+    end
+
+    it "requires the user to be logged in" do
+      get "/c/#{category.id}/show.json"
+      expect(response.status).to eq(403)
+    end
+
+    describe "logged in" do
+      it "raises an exception if they don't have permission to see it" do
+        admin.update!(admin: false)
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(403)
+      end
+
+      it "renders category for users that have permission" do
+        sign_in(admin)
+        get "/c/#{category.id}/show.json"
+        expect(response.status).to eq(200)
+      end
+    end
+  end
+
  context '#destroy' do
    it "requires the user to be logged in" do
      delete "/categories/category.json"