github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-23 21:31:04 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: moderator shouldn't be able to import a theme via API (#18418)

Browse Source 
* SECURITY: moderator shouldn't be able to import a theme via API.
* DEV: apply `AdminConstraint` for all the "themes" routes.

Co-authored-by: Vinoth Kannan <svkn.87@gmail.com>
This commit is contained in:
Jarek Radosz
2022-09-29 20:00:20 +02:00
committed by GitHub
parent ba139b8c23
commit ae1e536e83
3 changed files with 19 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/admin/themes_controller.rb
View File

@ -5,6 +5,7 @@ require 'base64'
class Admin::ThemesController < Admin::AdminController class Admin::ThemesController < Admin::AdminController
skip_before_action :check_xhr, only: [:show, :preview, :export] skip_before_action :check_xhr, only: [:show, :preview, :export]
before_action :ensure_admin
def preview def preview
theme = Theme.find_by(id: params[:id]) theme = Theme.find_by(id: params[:id])

18
config/routes.rb
View File

@ -206,13 +206,17 @@ Discourse::Application.routes.draw do
get "customize/embedding" => "embedding#show", constraints: AdminConstraint.new get "customize/embedding" => "embedding#show", constraints: AdminConstraint.new
put "customize/embedding" => "embedding#update", constraints: AdminConstraint.new put "customize/embedding" => "embedding#update", constraints: AdminConstraint.new
resources :themes, constraints: AdminConstraint.new resources :themes, constraints: AdminConstraint.new do
member do
post "themes/import" => "themes#import" get "preview" => "themes#preview"
post "themes/upload_asset" => "themes#upload_asset" put "setting" => "themes#update_single_setting"
post "themes/generate_key_pair" => "themes#generate_key_pair" end
get "themes/:id/preview" => "themes#preview" collection do
put "themes/:id/setting" => "themes#update_single_setting" post "import" => "themes#import"
post "upload_asset" => "themes#upload_asset"
post "generate_key_pair" => "themes#generate_key_pair"
end
end
scope "/customize", constraints: AdminConstraint.new do scope "/customize", constraints: AdminConstraint.new do
resources :user_fields, constraints: AdminConstraint.new resources :user_fields, constraints: AdminConstraint.new

7
spec/requests/admin/themes_controller_spec.rb
View File

@ -160,6 +160,13 @@ RSpec.describe Admin::ThemesController do
expect(response.status).to eq(201) expect(response.status).to eq(201)
end end
it 'should not be able to import a theme by moderator' do
sign_in(Fabricate(:moderator))
post "/admin/themes/import.json", params: { theme: theme_json_file }
expect(response.status).to eq(404)
end
it 'imports a theme' do it 'imports a theme' do
post "/admin/themes/import.json", params: { theme: theme_json_file } post "/admin/themes/import.json", params: { theme: theme_json_file }
expect(response.status).to eq(201) expect(response.status).to eq(201)