Discourse/discourse
Discourse/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-09-06 10:50:21 +08:00
Code Packages Activity Actions 9

FIX: Some badge routes were still working even with badges disabled

Browse source
This commit is contained in:
Robin Ward 2017-11-21 12:22:24 -05:00
parent 9444c31918
commit 628275fc31
5 changed files with 35 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

6
app/controllers/user_badges_controller.rb
View file

@ -1,4 +1,6 @@
class UserBadgesController < ApplicationController class UserBadgesController < ApplicationController
before_action :ensure_badges_enabled
def index def index
params.permit [:granted_before, :offset, :username] params.permit [:granted_before, :offset, :username]
@ -106,4 +108,8 @@ class UserBadgesController < ApplicationController
master_api_call = current_user.nil? && is_api? master_api_call = current_user.nil? && is_api?
master_api_call || guardian.can_grant_badges?(user) master_api_call || guardian.can_grant_badges?(user)
end end
def ensure_badges_enabled
raise Discourse::NotFound unless SiteSetting.enable_badges?
end
end end

8
app/controllers/users_controller.rb
View file

@ -8,7 +8,7 @@ require_dependency 'admin_confirmation'
class UsersController < ApplicationController class UsersController < ApplicationController
skip_before_action :authorize_mini_profiler, only: [:avatar] skip_before_action :authorize_mini_profiler, only: [:avatar]
skip_before_action :check_xhr, only: [:show, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin] skip_before_action :check_xhr, only: [:show, :badges, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]
before_action :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image, before_action :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image,
:pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state] :pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state]
@ -67,6 +67,7 @@ class UsersController < ApplicationController
format.html do format.html do
@restrict_fields = guardian.restrict_user_fields?(@user) @restrict_fields = guardian.restrict_user_fields?(@user)
store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer)) store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer))
render :show
end end
format.json do format.json do
@ -75,6 +76,11 @@ class UsersController < ApplicationController
end end
end end
def badges
raise Discourse::NotFound unless SiteSetting.enable_badges?
show
end
def card_badge def card_badge
end end

2
config/routes.rb
View file

@ -391,7 +391,7 @@ Discourse::Application.routes.draw do
get "#{root_path}/:username/activity.rss" => "posts#user_posts_feed", format: :rss, constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/activity.rss" => "posts#user_posts_feed", format: :rss, constraints: { username: USERNAME_ROUTE_FORMAT }
get "#{root_path}/:username/activity" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/activity" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
get "#{root_path}/:username/activity/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/activity/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
get "#{root_path}/:username/badges" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/badges" => "users#badges", constraints: { username: USERNAME_ROUTE_FORMAT }
get "#{root_path}/:username/notifications" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/notifications" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
get "#{root_path}/:username/notifications/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/notifications/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
get "#{root_path}/:username/activity/pending" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT } get "#{root_path}/:username/activity/pending" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }

10
spec/controllers/user_badges_controller_spec.rb
View file

@ -5,19 +5,25 @@ describe UserBadgesController do
let(:badge) { Fabricate(:badge) } let(:badge) { Fabricate(:badge) }
context 'index' do context 'index' do
let(:badge) { Fabricate(:badge, target_posts: true, show_posts: false) }
it 'does not leak private info' do it 'does not leak private info' do
badge = Fabricate(:badge, target_posts: true, show_posts: false)
p = create_post p = create_post
UserBadge.create(badge: badge, user: user, post_id: p.id, granted_by_id: -1, granted_at: Time.now) UserBadge.create(badge: badge, user: user, post_id: p.id, granted_by_id: -1, granted_at: Time.now)
get :index, params: { badge_id: badge.id }, format: :json get :index, params: { badge_id: badge.id }, format: :json
expect(response.status).to eq(200) expect(response).to be_success
parsed = JSON.parse(response.body) parsed = JSON.parse(response.body)
expect(parsed["topics"]).to eq(nil) expect(parsed["topics"]).to eq(nil)
expect(parsed["badges"].length).to eq(1) expect(parsed["badges"].length).to eq(1)
expect(parsed["user_badge_info"]["user_badges"][0]["post_id"]).to eq(nil) expect(parsed["user_badge_info"]["user_badges"][0]["post_id"]).to eq(nil)
end end
it "fails when badges are disabled" do
SiteSetting.enable_badges = false
get :index, params: { badge_id: badge.id }, format: :json
expect(response).not_to be_success
end
end end
context 'index' do context 'index' do

13
spec/requests/users_controller_spec.rb
View file

@ -26,6 +26,19 @@ RSpec.describe UsersController do
end end
end end
describe "#badges" do
it "renders fine by default" do
get "/u/#{user.username}/badges"
expect(response).to be_success
end
it "fails if badges are disabled" do
SiteSetting.enable_badges = false
get "/u/#{user.username}/badges"
expect(response).not_to be_success
end
end
describe "updating a user" do describe "updating a user" do
before do before do
sign_in(user) sign_in(user)