FIX: restrict updates on `confirm_old_email` email templates
This commit is contained in:
parent
f3385a74cb
commit
9f422c93f6
|
@ -23,7 +23,7 @@ class Admin::EmailTemplatesController < Admin::AdminController
|
||||||
"system_messages.unsilenced", "system_messages.user_automatically_silenced",
|
"system_messages.unsilenced", "system_messages.user_automatically_silenced",
|
||||||
"system_messages.welcome_invite", "system_messages.welcome_user", "test_mailer",
|
"system_messages.welcome_invite", "system_messages.welcome_user", "test_mailer",
|
||||||
"user_notifications.account_created", "user_notifications.admin_login",
|
"user_notifications.account_created", "user_notifications.admin_login",
|
||||||
"user_notifications.confirm_new_email", "user_notifications.confirm_old_email",
|
"user_notifications.confirm_new_email",
|
||||||
"user_notifications.notify_old_email", "user_notifications.forgot_password",
|
"user_notifications.notify_old_email", "user_notifications.forgot_password",
|
||||||
"user_notifications.set_password", "user_notifications.signup",
|
"user_notifications.set_password", "user_notifications.signup",
|
||||||
"user_notifications.signup_after_approval",
|
"user_notifications.signup_after_approval",
|
||||||
|
|
|
@ -7,6 +7,12 @@ class Admin::SiteTextsController < Admin::AdminController
|
||||||
'login_required.welcome_message']
|
'login_required.welcome_message']
|
||||||
end
|
end
|
||||||
|
|
||||||
|
def self.restricted_keys
|
||||||
|
['user_notifications.confirm_old_email.title',
|
||||||
|
'user_notifications.confirm_old_email.subject_template',
|
||||||
|
'user_notifications.confirm_old_email.text_body_template']
|
||||||
|
end
|
||||||
|
|
||||||
def index
|
def index
|
||||||
overridden = params[:overridden] == 'true'
|
overridden = params[:overridden] == 'true'
|
||||||
extras = {}
|
extras = {}
|
||||||
|
@ -80,7 +86,7 @@ class Admin::SiteTextsController < Admin::AdminController
|
||||||
end
|
end
|
||||||
|
|
||||||
def find_site_text
|
def find_site_text
|
||||||
raise Discourse::NotFound unless I18n.exists?(params[:id])
|
raise Discourse::NotFound unless I18n.exists?(params[:id]) && !self.class.restricted_keys.include?(params[:id])
|
||||||
record_for(params[:id])
|
record_for(params[:id])
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
@ -0,0 +1,11 @@
|
||||||
|
class DeleteConfirmOldEmailTemplateOverrides < ActiveRecord::Migration[5.1]
|
||||||
|
def up
|
||||||
|
execute "DELETE FROM translation_overrides WHERE translation_key = 'user_notifications.confirm_old_email.title'"
|
||||||
|
execute "DELETE FROM translation_overrides WHERE translation_key = 'user_notifications.confirm_old_email.subject_template'"
|
||||||
|
execute "DELETE FROM translation_overrides WHERE translation_key = 'user_notifications.confirm_old_email.text_body_template'"
|
||||||
|
end
|
||||||
|
|
||||||
|
def down
|
||||||
|
raise ActiveRecord::IrreversibleMigration
|
||||||
|
end
|
||||||
|
end
|
|
@ -0,0 +1,74 @@
|
||||||
|
require 'rails_helper'
|
||||||
|
|
||||||
|
RSpec.describe Admin::SiteTextsController do
|
||||||
|
let(:admin) { Fabricate(:admin) }
|
||||||
|
let(:user) { Fabricate(:user) }
|
||||||
|
let(:headers) { { ACCEPT: 'application/json' } }
|
||||||
|
|
||||||
|
after do
|
||||||
|
TranslationOverride.delete_all
|
||||||
|
I18n.reload!
|
||||||
|
end
|
||||||
|
|
||||||
|
context "#update" do
|
||||||
|
it "raises an error if you aren't logged in" do
|
||||||
|
put '/admin/customize/site_texts/some_key', params: {
|
||||||
|
site_text: { value: 'foo' }
|
||||||
|
}, headers: headers
|
||||||
|
expect(response.status).to eq(404)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "raises an error if you aren't an admin" do
|
||||||
|
sign_in(user)
|
||||||
|
put '/admin/customize/site_texts/some_key', params: {
|
||||||
|
site_text: { value: 'foo' }
|
||||||
|
}, headers: headers
|
||||||
|
expect(response.status).to eq(404)
|
||||||
|
end
|
||||||
|
|
||||||
|
context "when logged in as admin" do
|
||||||
|
before do
|
||||||
|
sign_in(admin)
|
||||||
|
end
|
||||||
|
|
||||||
|
it "returns 'not found' when an unknown key is used" do
|
||||||
|
put '/admin/customize/site_texts/some_key', params: {
|
||||||
|
site_text: { value: 'foo' }
|
||||||
|
}, headers: headers
|
||||||
|
|
||||||
|
expect(response).not_to be_success
|
||||||
|
|
||||||
|
json = ::JSON.parse(response.body)
|
||||||
|
expect(json['error_type']).to eq('not_found')
|
||||||
|
end
|
||||||
|
|
||||||
|
it "works as expectd with correct keys" do
|
||||||
|
put '/admin/customize/site_texts/title', params: {
|
||||||
|
site_text: { value: 'foo' }
|
||||||
|
}, headers: headers
|
||||||
|
|
||||||
|
expect(response).to be_success
|
||||||
|
|
||||||
|
json = ::JSON.parse(response.body)
|
||||||
|
expect(json).to be_present
|
||||||
|
|
||||||
|
site_text = json['site_text']
|
||||||
|
expect(site_text).to be_present
|
||||||
|
|
||||||
|
expect(site_text['id']).to eq('title')
|
||||||
|
expect(site_text['value']).to eq('foo')
|
||||||
|
end
|
||||||
|
|
||||||
|
it "does not update restricted keys" do
|
||||||
|
put '/admin/customize/site_texts/user_notifications.confirm_old_email.title', params: {
|
||||||
|
site_text: { value: 'foo' }
|
||||||
|
}, headers: headers
|
||||||
|
|
||||||
|
expect(response).not_to be_success
|
||||||
|
|
||||||
|
json = ::JSON.parse(response.body)
|
||||||
|
expect(json['error_type']).to eq('not_found')
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
Loading…
Reference in New Issue