FIX: Only render admin notice dismiss button for admins (#29103)
Dismissing admin notices is an admin-only action. This is enforced on the back-end both by a routing constraint and a policy in the relevant service. However, we still unconditionally display the "Dismiss" button to anyone with access to the admin dashboard. When clicked, it results in a 404 modal (due to the routing constraint.) With this change we only render the dismiss button for admins.
This commit is contained in:
parent
8d1867688f
commit
ec7703e622
|
@ -1,25 +1,34 @@
|
|||
import Component from "@glimmer/component";
|
||||
import { action } from "@ember/object";
|
||||
import { service } from "@ember/service";
|
||||
import { htmlSafe } from "@ember/template";
|
||||
import DButton from "discourse/components/d-button";
|
||||
import icon from "discourse-common/helpers/d-icon";
|
||||
|
||||
export default class AdminNotice extends Component {
|
||||
@service currentUser;
|
||||
|
||||
@action
|
||||
dismiss() {
|
||||
this.args.dismissCallback(this.args.problem);
|
||||
}
|
||||
|
||||
get canDismiss() {
|
||||
return this.currentUser.admin;
|
||||
}
|
||||
|
||||
<template>
|
||||
<div class="notice">
|
||||
<div class="message">
|
||||
{{if @icon (icon @icon)}}
|
||||
{{htmlSafe @problem.message}}
|
||||
</div>
|
||||
{{#if this.canDismiss}}
|
||||
<DButton
|
||||
@action={{this.dismiss}}
|
||||
@label="admin.dashboard.dismiss_notice"
|
||||
/>
|
||||
{{/if}}
|
||||
</div>
|
||||
</template>
|
||||
}
|
||||
|
|
|
@ -1,18 +1,19 @@
|
|||
# frozen_string_literal: true
|
||||
|
||||
describe "Admin Notices", type: :system do
|
||||
fab!(:admin)
|
||||
|
||||
let(:admin_dashboard) { PageObjects::Pages::AdminDashboard.new }
|
||||
|
||||
before do
|
||||
Fabricate(:admin_notice)
|
||||
|
||||
I18n.backend.store_translations(:en, dashboard: { problem: { test_notice: "Houston" } })
|
||||
|
||||
sign_in(admin)
|
||||
end
|
||||
|
||||
context "when signed in as admin" do
|
||||
fab!(:admin)
|
||||
|
||||
before { sign_in(admin) }
|
||||
|
||||
it "supports dismissing admin notices" do
|
||||
admin_dashboard.visit
|
||||
|
||||
|
@ -23,3 +24,20 @@ describe "Admin Notices", type: :system do
|
|||
expect(admin_dashboard).to have_no_admin_notice(I18n.t("dashboard.problem.test_notice"))
|
||||
end
|
||||
end
|
||||
|
||||
context "when signed in as moderator" do
|
||||
fab!(:moderator)
|
||||
|
||||
before { sign_in(moderator) }
|
||||
|
||||
it "doesn't render dismiss button on admin notices" do
|
||||
admin_dashboard.visit
|
||||
|
||||
expect(admin_dashboard).to have_admin_notice(I18n.t("dashboard.problem.test_notice"))
|
||||
expect(admin_dashboard).to have_no_css(
|
||||
".dashboard-problem .btn",
|
||||
text: I18n.t("admin_js.admin.dashboard.dismiss_notice"),
|
||||
)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue