FIX: Don't allow access to plugin page if plugin is not visible (#26431)

Plugins that are hidden or disabled aren't shown in the plugins list at `/admin/plugins` because they cannot be changed. However, the `#show` route doesn't check for the plugin's state and responds with 200 and the plugin's info even if the plugin is hidden or disabled. This commit makes the `#show` route respond with 404 if the plugin is hidden or disabled.
2025-05-29 11:48:08 +08:00 · 2024-04-02 16:26:15 +03:00
parent 50caef6783
commit 3b86dee520
2 changed files with 9 additions and 1 deletions
--- a/spec/requests/admin/plugins_controller_spec.rb
+++ b/spec/requests/admin/plugins_controller_spec.rb
@ -77,6 +77,14 @@ RSpec.describe Admin::PluginsController do
        expect(response.status).to eq(404)
        expect(response.parsed_body["errors"]).to include(I18n.t("not_found"))
      end
+
+      it "404s if the plugin is not visible" do
+        poll = Discourse.plugins_by_name["poll"]
+        poll.stubs(:visible?).returns(false)
+
+        get "/admin/plugins/poll.json"
+        expect(response.status).to eq(404)
+      end
    end

    context "when logged in as a moderator" do