SECURITY: Ensure site setting being updated is a configurable site setting (#21132)
This commit is contained in:
parent
bd301c3f08
commit
bbc7746cef
|
@ -38,7 +38,7 @@ class Admin::SiteSettingsController < Admin::AdminController
|
|||
value = Upload.get_from_url(value) || "" if SiteSetting.type_supervisor.get_type(id) == :upload
|
||||
|
||||
update_existing_users = params[:update_existing_user].present?
|
||||
previous_value = value_or_default(SiteSetting.public_send(id)) if update_existing_users
|
||||
previous_value = value_or_default(SiteSetting.get(id)) if update_existing_users
|
||||
|
||||
SiteSetting.set_and_log(id, value, current_user)
|
||||
|
||||
|
|
|
@ -198,6 +198,7 @@ en:
|
|||
embed:
|
||||
load_from_remote: "There was an error loading that post."
|
||||
site_settings:
|
||||
invalid_site_setting: "No setting named '%{name}' exists"
|
||||
invalid_category_id: "You specified a category that does not exist"
|
||||
invalid_choice:
|
||||
one: "You specified the invalid choice %{name}"
|
||||
|
|
|
@ -438,7 +438,9 @@ module SiteSettingExtension
|
|||
value = prev_value = "[FILTERED]" if secret_settings.include?(name.to_sym)
|
||||
StaffActionLogger.new(user).log_site_setting_change(name, prev_value, value)
|
||||
else
|
||||
raise Discourse::InvalidParameters.new("No setting named '#{name}' exists")
|
||||
raise Discourse::InvalidParameters.new(
|
||||
I18n.t("errors.site_settings.invalid_site_setting", name: name),
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
@ -446,7 +448,9 @@ module SiteSettingExtension
|
|||
if has_setting?(name)
|
||||
self.public_send(name)
|
||||
else
|
||||
raise Discourse::InvalidParameters.new("No setting named '#{name}' exists")
|
||||
raise Discourse::InvalidParameters.new(
|
||||
I18n.t("errors.site_settings.invalid_site_setting", name: name),
|
||||
)
|
||||
end
|
||||
end
|
||||
|
||||
|
|
|
@ -253,6 +253,19 @@ RSpec.describe Admin::SiteSettingsController do
|
|||
expect(SiteSetting.search_tokenize_chinese).to eq(true)
|
||||
end
|
||||
|
||||
it "throws an error when the parameter is not a configurable site setting" do
|
||||
put "/admin/site_settings/clear_cache!.json",
|
||||
params: {
|
||||
clear_cache!: "",
|
||||
update_existing_user: true,
|
||||
}
|
||||
|
||||
expect(response.status).to eq(422)
|
||||
expect(response.parsed_body["errors"]).to contain_exactly(
|
||||
"No setting named 'clear_cache!' exists",
|
||||
)
|
||||
end
|
||||
|
||||
it "throws an error when trying to change a deprecated setting with override = false" do
|
||||
SiteSetting.personal_message_enabled_groups = Group::AUTO_GROUPS[:trust_level_4]
|
||||
put "/admin/site_settings/enable_personal_messages.json",
|
||||
|
|
Loading…
Reference in New Issue