From f7d37024546ec9746da7c2d8b8d4b30f63137c88 Mon Sep 17 00:00:00 2001
From: Guo Xiang Tan <tgx_world@hotmail.com>
Date: Thu, 10 Aug 2017 18:27:01 +0900
Subject: [PATCH] FIX: Return 404 if API access is invalid.

---
 lib/staff_constraint.rb                         | 2 ++
 spec/integration/admin/admin_controller_spec.rb | 9 +++++++++
 2 files changed, 11 insertions(+)
 create mode 100644 spec/integration/admin/admin_controller_spec.rb

diff --git a/lib/staff_constraint.rb b/lib/staff_constraint.rb
index 19c3acf4220..ba4dc0a36cd 100644
--- a/lib/staff_constraint.rb
+++ b/lib/staff_constraint.rb
@@ -5,6 +5,8 @@ class StaffConstraint
   def matches?(request)
     provider = Discourse.current_user_provider.new(request.env)
     provider.current_user && provider.current_user.staff?
+  rescue Discourse::InvalidAccess
+    false
   end
 
 end
diff --git a/spec/integration/admin/admin_controller_spec.rb b/spec/integration/admin/admin_controller_spec.rb
new file mode 100644
index 00000000000..62beaaca421
--- /dev/null
+++ b/spec/integration/admin/admin_controller_spec.rb
@@ -0,0 +1,9 @@
+require 'rails_helper'
+
+RSpec.describe "Admin::AdminController" do
+  it "should return the right response if user isn't a staff" do
+    expect do
+      get "/admin", api_key: 'asdiasiduga'
+    end.to raise_error(ActionController::RoutingError)
+  end
+end