github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-06-06 03:06:53 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: moderator shouldn't be able to import a theme via API (#18418)

Browse Source 
* SECURITY: moderator shouldn't be able to import a theme via API.
* DEV: apply `AdminConstraint` for all the "themes" routes.

Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>
This commit is contained in:
Jarek Radosz
2022-09-29 20:00:20 +02:00
committed by GitHub
parent ba139b8c23
commit ae1e536e83
3 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
config/routes.rb
View File

@ -206,13 +206,17 @@ Discourse::Application.routes.draw do
get "customize/embedding" => "embedding#show", constraints: AdminConstraint.new
put "customize/embedding" => "embedding#update", constraints: AdminConstraint.new
resources :themes, constraints: AdminConstraint.new
post "themes/import" => "themes#import"
post "themes/upload_asset" => "themes#upload_asset"
post "themes/generate_key_pair" => "themes#generate_key_pair"
get "themes/:id/preview" => "themes#preview"
put "themes/:id/setting" => "themes#update_single_setting"
resources :themes, constraints: AdminConstraint.new do
member do
get "preview" => "themes#preview"
put "setting" => "themes#update_single_setting"
end
collection do
post "import" => "themes#import"
post "upload_asset" => "themes#upload_asset"
post "generate_key_pair" => "themes#generate_key_pair"
end
end
scope "/customize", constraints: AdminConstraint.new do
resources :user_fields, constraints: AdminConstraint.new