FIX: Some badge routes were still working even with badges disabled
This commit is contained in:
parent
9444c31918
commit
628275fc31
|
@ -1,4 +1,6 @@
|
|||
class UserBadgesController < ApplicationController
|
||||
before_action :ensure_badges_enabled
|
||||
|
||||
def index
|
||||
params.permit [:granted_before, :offset, :username]
|
||||
|
||||
|
@ -106,4 +108,8 @@ class UserBadgesController < ApplicationController
|
|||
master_api_call = current_user.nil? && is_api?
|
||||
master_api_call || guardian.can_grant_badges?(user)
|
||||
end
|
||||
|
||||
def ensure_badges_enabled
|
||||
raise Discourse::NotFound unless SiteSetting.enable_badges?
|
||||
end
|
||||
end
|
||||
|
|
|
@ -8,7 +8,7 @@ require_dependency 'admin_confirmation'
|
|||
class UsersController < ApplicationController
|
||||
|
||||
skip_before_action :authorize_mini_profiler, only: [:avatar]
|
||||
skip_before_action :check_xhr, only: [:show, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]
|
||||
skip_before_action :check_xhr, only: [:show, :badges, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]
|
||||
|
||||
before_action :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image,
|
||||
:pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state]
|
||||
|
@ -67,6 +67,7 @@ class UsersController < ApplicationController
|
|||
format.html do
|
||||
@restrict_fields = guardian.restrict_user_fields?(@user)
|
||||
store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer))
|
||||
render :show
|
||||
end
|
||||
|
||||
format.json do
|
||||
|
@ -75,6 +76,11 @@ class UsersController < ApplicationController
|
|||
end
|
||||
end
|
||||
|
||||
def badges
|
||||
raise Discourse::NotFound unless SiteSetting.enable_badges?
|
||||
show
|
||||
end
|
||||
|
||||
def card_badge
|
||||
end
|
||||
|
||||
|
|
|
@ -391,7 +391,7 @@ Discourse::Application.routes.draw do
|
|||
get "#{root_path}/:username/activity.rss" => "posts#user_posts_feed", format: :rss, constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/activity" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/activity/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/badges" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/badges" => "users#badges", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/notifications" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/notifications/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
get "#{root_path}/:username/activity/pending" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
|
||||
|
|
|
@ -5,19 +5,25 @@ describe UserBadgesController do
|
|||
let(:badge) { Fabricate(:badge) }
|
||||
|
||||
context 'index' do
|
||||
let(:badge) { Fabricate(:badge, target_posts: true, show_posts: false) }
|
||||
it 'does not leak private info' do
|
||||
badge = Fabricate(:badge, target_posts: true, show_posts: false)
|
||||
p = create_post
|
||||
UserBadge.create(badge: badge, user: user, post_id: p.id, granted_by_id: -1, granted_at: Time.now)
|
||||
|
||||
get :index, params: { badge_id: badge.id }, format: :json
|
||||
expect(response.status).to eq(200)
|
||||
expect(response).to be_success
|
||||
|
||||
parsed = JSON.parse(response.body)
|
||||
expect(parsed["topics"]).to eq(nil)
|
||||
expect(parsed["badges"].length).to eq(1)
|
||||
expect(parsed["user_badge_info"]["user_badges"][0]["post_id"]).to eq(nil)
|
||||
end
|
||||
|
||||
it "fails when badges are disabled" do
|
||||
SiteSetting.enable_badges = false
|
||||
get :index, params: { badge_id: badge.id }, format: :json
|
||||
expect(response).not_to be_success
|
||||
end
|
||||
end
|
||||
|
||||
context 'index' do
|
||||
|
|
|
@ -26,6 +26,19 @@ RSpec.describe UsersController do
|
|||
end
|
||||
end
|
||||
|
||||
describe "#badges" do
|
||||
it "renders fine by default" do
|
||||
get "/u/#{user.username}/badges"
|
||||
expect(response).to be_success
|
||||
end
|
||||
|
||||
it "fails if badges are disabled" do
|
||||
SiteSetting.enable_badges = false
|
||||
get "/u/#{user.username}/badges"
|
||||
expect(response).not_to be_success
|
||||
end
|
||||
end
|
||||
|
||||
describe "updating a user" do
|
||||
before do
|
||||
sign_in(user)
|
||||
|
|
Loading…
Reference in New Issue