From a19027afae3c8bf5fe52649b00a9191a9171811c Mon Sep 17 00:00:00 2001 From: David Battersby Date: Wed, 10 May 2023 14:26:49 +0800 Subject: [PATCH] FIX: show 404 on new category page for moderators when Site Setting disabled (#21448) Currently the /new-category url can be accessed by moderators, regardless of whether the Site Setting for moderators_manage_categories_and_groups is true or false. On top of this, non authorized users can also access this page but shows errors (no 404 loaded). Since the 404 redirect happens within Ember, we need to allow the site setting value to be accessed within JS. After this change all non admin users will see a 404 for this route, the exception being moderators if the moderators_manage_categories_and_groups setting has a value of true. /t/73360 --- .../discourse/app/routes/new-category.js | 15 +++++++++++ .../tests/acceptance/category-new-test.js | 27 +++++++++++++++++++ config/site_settings.yml | 4 ++- 3 files changed, 45 insertions(+), 1 deletion(-) diff --git a/app/assets/javascripts/discourse/app/routes/new-category.js b/app/assets/javascripts/discourse/app/routes/new-category.js index 7dbead0fad1..8a0152174e7 100644 --- a/app/assets/javascripts/discourse/app/routes/new-category.js +++ b/app/assets/javascripts/discourse/app/routes/new-category.js @@ -12,6 +12,21 @@ export function setNewCategoryDefaultColors(backgroundColor, textColor) { } export default DiscourseRoute.extend({ + beforeModel() { + if (!this.currentUser) { + this.replaceWith("/404"); + return; + } + if (!this.currentUser.admin) { + if ( + !this.currentUser.moderator || + this.siteSettings.moderators_manage_categories_and_groups === false + ) { + this.replaceWith("/404"); + } + } + }, + model() { return Promise.resolve(this.groupPermissions()) .then((permissions) => { diff --git a/app/assets/javascripts/discourse/tests/acceptance/category-new-test.js b/app/assets/javascripts/discourse/tests/acceptance/category-new-test.js index 77f4cdd89d0..e5b04cc03a2 100644 --- a/app/assets/javascripts/discourse/tests/acceptance/category-new-test.js +++ b/app/assets/javascripts/discourse/tests/acceptance/category-new-test.js @@ -10,6 +10,33 @@ import sinon from "sinon"; import { test } from "qunit"; import selectKit from "discourse/tests/helpers/select-kit-helper"; +acceptance("New category access for moderators", function (needs) { + needs.user({ moderator: true, admin: false, trust_level: 1 }); + + test("Authorizes access based on site setting", async function (assert) { + this.siteSettings.moderators_manage_categories_and_groups = false; + await visit("/new-category"); + + assert.strictEqual(currentURL(), "/404"); + + this.siteSettings.moderators_manage_categories_and_groups = true; + await visit("/new-category"); + + assert.strictEqual( + currentURL(), + "/new-category", + "it allows access to new category when site setting is enabled" + ); + }); +}); + +acceptance("New category access for non authorized users", function () { + test("Prevents access when not signed in", async function (assert) { + await visit("/new-category"); + assert.strictEqual(currentURL(), "/404"); + }); +}); + acceptance("Category New", function (needs) { needs.user(); diff --git a/config/site_settings.yml b/config/site_settings.yml index bb298ea862b..6f99c27d387 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -1708,7 +1708,9 @@ security: allow_indexing_non_canonical_urls: default: true hidden: true - moderators_manage_categories_and_groups: false + moderators_manage_categories_and_groups: + default: false + client: true moderators_change_post_ownership: client: true default: false