FIX: restrict updates on `confirm_old_email` email templates

This commit is contained in:
Arpit Jalan 2018-05-19 11:45:57 +05:30
parent f3385a74cb
commit 9f422c93f6
4 changed files with 93 additions and 2 deletions

View File

@ -23,7 +23,7 @@ class Admin::EmailTemplatesController < Admin::AdminController
"system_messages.unsilenced", "system_messages.user_automatically_silenced",
"system_messages.welcome_invite", "system_messages.welcome_user", "test_mailer",
"user_notifications.account_created", "user_notifications.admin_login",
"user_notifications.confirm_new_email", "user_notifications.confirm_old_email",
"user_notifications.confirm_new_email",
"user_notifications.notify_old_email", "user_notifications.forgot_password",
"user_notifications.set_password", "user_notifications.signup",
"user_notifications.signup_after_approval",

View File

@ -7,6 +7,12 @@ class Admin::SiteTextsController < Admin::AdminController
'login_required.welcome_message']
end
def self.restricted_keys
['user_notifications.confirm_old_email.title',
'user_notifications.confirm_old_email.subject_template',
'user_notifications.confirm_old_email.text_body_template']
end
def index
overridden = params[:overridden] == 'true'
extras = {}
@ -80,7 +86,7 @@ class Admin::SiteTextsController < Admin::AdminController
end
def find_site_text
raise Discourse::NotFound unless I18n.exists?(params[:id])
raise Discourse::NotFound unless I18n.exists?(params[:id]) && !self.class.restricted_keys.include?(params[:id])
record_for(params[:id])
end

View File

@ -0,0 +1,11 @@
class DeleteConfirmOldEmailTemplateOverrides < ActiveRecord::Migration[5.1]
def up
execute "DELETE FROM translation_overrides WHERE translation_key = 'user_notifications.confirm_old_email.title'"
execute "DELETE FROM translation_overrides WHERE translation_key = 'user_notifications.confirm_old_email.subject_template'"
execute "DELETE FROM translation_overrides WHERE translation_key = 'user_notifications.confirm_old_email.text_body_template'"
end
def down
raise ActiveRecord::IrreversibleMigration
end
end

View File

@ -0,0 +1,74 @@
require 'rails_helper'
RSpec.describe Admin::SiteTextsController do
let(:admin) { Fabricate(:admin) }
let(:user) { Fabricate(:user) }
let(:headers) { { ACCEPT: 'application/json' } }
after do
TranslationOverride.delete_all
I18n.reload!
end
context "#update" do
it "raises an error if you aren't logged in" do
put '/admin/customize/site_texts/some_key', params: {
site_text: { value: 'foo' }
}, headers: headers
expect(response.status).to eq(404)
end
it "raises an error if you aren't an admin" do
sign_in(user)
put '/admin/customize/site_texts/some_key', params: {
site_text: { value: 'foo' }
}, headers: headers
expect(response.status).to eq(404)
end
context "when logged in as admin" do
before do
sign_in(admin)
end
it "returns 'not found' when an unknown key is used" do
put '/admin/customize/site_texts/some_key', params: {
site_text: { value: 'foo' }
}, headers: headers
expect(response).not_to be_success
json = ::JSON.parse(response.body)
expect(json['error_type']).to eq('not_found')
end
it "works as expectd with correct keys" do
put '/admin/customize/site_texts/title', params: {
site_text: { value: 'foo' }
}, headers: headers
expect(response).to be_success
json = ::JSON.parse(response.body)
expect(json).to be_present
site_text = json['site_text']
expect(site_text).to be_present
expect(site_text['id']).to eq('title')
expect(site_text['value']).to eq('foo')
end
it "does not update restricted keys" do
put '/admin/customize/site_texts/user_notifications.confirm_old_email.title', params: {
site_text: { value: 'foo' }
}, headers: headers
expect(response).not_to be_success
json = ::JSON.parse(response.body)
expect(json['error_type']).to eq('not_found')
end
end
end
end