FIX: ensure extra locales are only available to staff
This commit is contained in:
parent
d18c9b2d4d
commit
53667a01c2
|
@ -1,7 +1,6 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
class ExtraLocalesController < ApplicationController
|
||||
|
||||
layout :false
|
||||
|
||||
skip_before_action :check_xhr,
|
||||
|
@ -11,13 +10,14 @@ class ExtraLocalesController < ApplicationController
|
|||
|
||||
def show
|
||||
bundle = params[:bundle]
|
||||
raise Discourse::InvalidAccess.new unless bundle =~ /^(admin|wizard)$/
|
||||
if params[:v] && params[:v].length == 32
|
||||
|
||||
raise Discourse::InvalidAccess.new if bundle !~ /^(admin|wizard)$/ || !current_user&.staff?
|
||||
|
||||
if params[:v]&.size == 32
|
||||
hash = ExtraLocalesController.bundle_js_hash(bundle)
|
||||
if hash == params[:v]
|
||||
immutable_for 24.hours
|
||||
end
|
||||
immutable_for(24.hours) if hash == params[:v]
|
||||
end
|
||||
|
||||
render plain: ExtraLocalesController.bundle_js(bundle), content_type: "application/javascript"
|
||||
end
|
||||
|
||||
|
|
|
@ -4,6 +4,30 @@ require 'rails_helper'
|
|||
|
||||
describe ExtraLocalesController do
|
||||
context 'show' do
|
||||
|
||||
it "won't work with a weird parameter" do
|
||||
get "/extra-locales/-invalid..character!!"
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
it "needs a valid bundle" do
|
||||
get "/extra-locales/made-up-bundle"
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
it "requires staff access" do
|
||||
get "/extra-locales/admin"
|
||||
expect(response.status).to eq(403)
|
||||
|
||||
get "/extra-locales/wizard"
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
context "logged in as a moderator" do
|
||||
|
||||
let(:moderator) { Fabricate(:moderator) }
|
||||
before { sign_in(moderator) }
|
||||
|
||||
it "caches for 24 hours if version is provided and it matches current hash" do
|
||||
get "/extra-locales/admin", params: { v: ExtraLocalesController.bundle_js_hash('admin') }
|
||||
expect(response.status).to eq(200)
|
||||
|
@ -16,16 +40,6 @@ describe ExtraLocalesController do
|
|||
expect(response.headers["Cache-Control"]).not_to eq("max-age=86400, public, immutable")
|
||||
end
|
||||
|
||||
it "needs a valid bundle" do
|
||||
get "/extra-locales/made-up-bundle"
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
|
||||
it "won't work with a weird parameter" do
|
||||
get "/extra-locales/-invalid..character!!"
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
|
||||
context "with plugin" do
|
||||
before do
|
||||
JsLocaleHelper.clear_cache!
|
||||
|
@ -48,12 +62,12 @@ describe ExtraLocalesController do
|
|||
|
||||
it "includes plugin translations" do
|
||||
get "/extra-locales/admin"
|
||||
|
||||
expect(response.status).to eq(200)
|
||||
expect(response.body.include?("github_badges")).to eq(true)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
describe ".bundle_js_hash" do
|
||||
it "doesn't call bundle_js more than once for the same locale and bundle" do
|
||||
|
|
Loading…
Reference in New Issue