FIX: show 404 on new category page for moderators when Site Setting disabled (#21448)

Currently the /new-category url can be accessed by moderators, regardless of whether the Site Setting for moderators_manage_categories_and_groups is true or false. On top of this, non authorized users can also access this page but shows errors (no 404 loaded). Since the 404 redirect happens within Ember, we need to allow the site setting value to be accessed within JS. After this change all non admin users will see a 404 for this route, the exception being moderators if the moderators_manage_categories_and_groups setting has a value of true. /t/73360
2023-05-10 14:26:49 +08:00 · 2023-05-10 14:26:49 +08:00 · a19027afae
parent 5d8632d484
commit a19027afae
3 changed files with 45 additions and 1 deletions
--- a/app/assets/javascripts/discourse/app/routes/new-category.js
+++ b/app/assets/javascripts/discourse/app/routes/new-category.js
@ -12,6 +12,21 @@ export function setNewCategoryDefaultColors(backgroundColor, textColor) {
 }

 export default DiscourseRoute.extend({
+  beforeModel() {
+    if (!this.currentUser) {
+      this.replaceWith("/404");
+      return;
+    }
+    if (!this.currentUser.admin) {
+      if (
+        !this.currentUser.moderator ||
+        this.siteSettings.moderators_manage_categories_and_groups === false
+      ) {
+        this.replaceWith("/404");
+      }
+    }
+  },
+
  model() {
    return Promise.resolve(this.groupPermissions())
      .then((permissions) => {
--- a/app/assets/javascripts/discourse/tests/acceptance/category-new-test.js
+++ b/app/assets/javascripts/discourse/tests/acceptance/category-new-test.js
@ -10,6 +10,33 @@ import sinon from "sinon";
 import { test } from "qunit";
 import selectKit from "discourse/tests/helpers/select-kit-helper";

+acceptance("New category access for moderators", function (needs) {
+  needs.user({ moderator: true, admin: false, trust_level: 1 });
+
+  test("Authorizes access based on site setting", async function (assert) {
+    this.siteSettings.moderators_manage_categories_and_groups = false;
+    await visit("/new-category");
+
+    assert.strictEqual(currentURL(), "/404");
+
+    this.siteSettings.moderators_manage_categories_and_groups = true;
+    await visit("/new-category");
+
+    assert.strictEqual(
+      currentURL(),
+      "/new-category",
+      "it allows access to new category when site setting is enabled"
+    );
+  });
+});
+
+acceptance("New category access for non authorized users", function () {
+  test("Prevents access when not signed in", async function (assert) {
+    await visit("/new-category");
+    assert.strictEqual(currentURL(), "/404");
+  });
+});
+
 acceptance("Category New", function (needs) {
  needs.user();

--- a/config/site_settings.yml
+++ b/config/site_settings.yml
@ -1708,7 +1708,9 @@ security:
  allow_indexing_non_canonical_urls:
    default: true
    hidden: true
-  moderators_manage_categories_and_groups: false
+  moderators_manage_categories_and_groups:
+    default: false
+    client: true
  moderators_change_post_ownership:
    client: true
    default: false