FIX: Only render admin notice dismiss button for admins (#29103)

Dismissing admin notices is an admin-only action. This is enforced on the back-end both by a routing constraint and a policy in the relevant service.

However, we still unconditionally display the "Dismiss" button to anyone with access to the admin dashboard. When clicked, it results in a 404 modal (due to the routing constraint.)

With this change we only render the dismiss button for admins.
This commit is contained in:
Ted Johansson 2024-10-07 13:14:01 +08:00 committed by GitHub
parent 8d1867688f
commit ec7703e622
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
2 changed files with 40 additions and 13 deletions

View File

@ -1,25 +1,34 @@
import Component from "@glimmer/component";
import { action } from "@ember/object";
import { service } from "@ember/service";
import { htmlSafe } from "@ember/template";
import DButton from "discourse/components/d-button";
import icon from "discourse-common/helpers/d-icon";
export default class AdminNotice extends Component {
@service currentUser;
@action
dismiss() {
this.args.dismissCallback(this.args.problem);
}
get canDismiss() {
return this.currentUser.admin;
}
<template>
<div class="notice">
<div class="message">
{{if @icon (icon @icon)}}
{{htmlSafe @problem.message}}
</div>
{{#if this.canDismiss}}
<DButton
@action={{this.dismiss}}
@label="admin.dashboard.dismiss_notice"
/>
{{/if}}
</div>
</template>
}

View File

@ -1,18 +1,19 @@
# frozen_string_literal: true
describe "Admin Notices", type: :system do
fab!(:admin)
let(:admin_dashboard) { PageObjects::Pages::AdminDashboard.new }
before do
Fabricate(:admin_notice)
I18n.backend.store_translations(:en, dashboard: { problem: { test_notice: "Houston" } })
sign_in(admin)
end
context "when signed in as admin" do
fab!(:admin)
before { sign_in(admin) }
it "supports dismissing admin notices" do
admin_dashboard.visit
@ -23,3 +24,20 @@ describe "Admin Notices", type: :system do
expect(admin_dashboard).to have_no_admin_notice(I18n.t("dashboard.problem.test_notice"))
end
end
context "when signed in as moderator" do
fab!(:moderator)
before { sign_in(moderator) }
it "doesn't render dismiss button on admin notices" do
admin_dashboard.visit
expect(admin_dashboard).to have_admin_notice(I18n.t("dashboard.problem.test_notice"))
expect(admin_dashboard).to have_no_css(
".dashboard-problem .btn",
text: I18n.t("admin_js.admin.dashboard.dismiss_notice"),
)
end
end
end