SECURITY: Moderators cannot see user emails.

Unless `moderators_view_emails` SiteSetting is enabled, moderators should not be able to discover users’ emails.
2025-06-01 03:54:33 +08:00 · 2024-11-13 14:04:20 +11:00
parent 023b61ad22
commit 95564a3df2
9 changed files with 112 additions and 12 deletions
--- a/spec/system/admin_sidebar_navigation_spec.rb
+++ b/spec/system/admin_sidebar_navigation_spec.rb
@ -292,6 +292,29 @@ describe "Admin Revamp | Sidebar Navigation", type: :system do
        "What's New",
        "All",
        "Watched Words",
+        "Screened IPs",
+        "Screened URLs",
+        "Search Logs",
+        "Staff Action Logs",
+      ],
+    )
+  end
+
+  it "displays limited links for moderator with screened emails if allowed" do
+    SiteSetting.moderators_view_emails = true
+    sign_in(moderator)
+    visit("/admin")
+
+    sidebar.toggle_all_sections
+
+    links = page.all(".sidebar-section-link-content-text")
+    expect(links.map(&:text)).to eq(
+      [
+        "Dashboard",
+        "Users",
+        "What's New",
+        "All",
+        "Watched Words",
        "Screened Emails",
        "Screened IPs",
        "Screened URLs",