Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-04-29 15:45:23 +08:00
Code Packages Activity Actions
discourse/spec/requests
History
Exact
Natalie Tay 8980779ae5
FIX: Ensure moderators do not clear group email domain (#39631) 
When a moderator (who can manage groups via `moderators_manage_groups`)
edits a group's profile and saves, the
`automatic_membership_email_domains` gets silently cleared now.

One issue that leads to another:
- `GroupShowSerializer gated automatic_membership_email_domains` behind
`is_admin?`, so moderators never received the value. The frontend model
defaulted to "", and on save ... 💥 (it gets cleared)
- -> Then, the "save" flow calls
`/admin/groups/automatic_membership_count.json` to check if new users
would be auto-added, but that route sat behind `AdminConstraint`, so
moderators got a 404.

This PR fixes by using `can_admin_group?` visibility check (covers
admins + moderators with the setting enabled), and moving the
`automatic_membership_count` route to the staff-accessible block +
adding a `can_create_group?` guard in the controller so moderators
without moderators_manage_groups still can't access it.
2026-04-29 14:32:38 +08:00
..
admin FIX: Ensure moderators do not clear group email domain (#39631) 2026-04-29 14:32:38 +08:00
api DEV: Restore and update request/api specs (#39483) 2026-04-23 20:13:52 +02:00
examples
about_controller_spec.rb FIX: respect profile-visibility controls on about page (#38527) 2026-03-12 16:39:53 +08:00
application_controller_spec.rb FEATURE: Add bfcache-compatible cache-control headers option (#38763) 2026-03-23 17:34:45 -03:00
associate_accounts_controller_spec.rb DEV: add shortcut fab!(:variable, :fabricator) to specs (#33577) 2025-07-11 11:16:34 -03:00
badges_controller_spec.rb FIX: Non-listable and disabled badges exposed via XHR JSON requests (#37869) 2026-02-17 16:17:01 +11:00
bookmarks_controller_spec.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00
calendar_subscriptions_controller_spec.rb FEATURE: Add calendar subscription URLs to user preferences (#38598) 2026-03-17 10:28:20 -03:00
categories_controller_spec.rb FEATURE: Support group based category posting review modes (#38707) 2026-04-07 10:41:16 +08:00
clicks_controller_spec.rb
composer_controller_spec.rb SECURITY: Hidden group membership can be inferred via allowed_names and user_reasons 2026-03-19 15:21:28 +00:00
composer_messages_controller_spec.rb DEV: Filter hidden posts from duplicate link lookup (#38543) 2026-03-12 10:32:59 -07:00
crawler_hreflang_spec.rb FIX: Self-canonicalize tl= translated pages (#39494) 2026-04-23 22:52:16 +08:00
default_headers_spec.rb DEV: Disallow the use of Rails.logger= in RSpec tests (#31920) 2025-03-21 08:48:38 +08:00
dev_mode_controller_spec.rb DEV: Add /dev-mode endpoint for MiniProfiler auth cookie (#37027) 2026-01-12 10:01:20 +08:00
directory_columns_controller_spec.rb
directory_items_controller_spec.rb SECURITY: exclude_groups enables private group membership inference without authorization 2026-03-19 15:21:28 +00:00
discourse_id_controller_spec.rb FIX: Revocation endpoint is blocked when login_required is enabled, preventing session invalidation (#37859) 2026-02-17 09:12:14 -05:00
do_not_disturb_controller_spec.rb
drafts_controller_spec.rb DEV: Expand top_tags, topic.tags, etc, to return an array of tag objects instead of tag names (#36678) 2026-02-02 10:03:02 +08:00
edit_directory_columns_controller_spec.rb
email_controller_spec.rb DEV: add shortcut fab!(:variable, :fabricator) to specs (#33577) 2025-07-11 11:16:34 -03:00
embed_controller_spec.rb FIX: Handle blank-slug topics in full app embed mode (#38668) 2026-03-17 15:37:00 -03:00
emojis_controller_spec.rb FEATURE: Locale-specific emoji search aliases (#39089) 2026-04-06 14:08:46 -03:00
exceptions_controller_spec.rb FIX: Respect forced color mode for logo on server-rendered pages (#37032) 2026-01-09 11:33:06 +01:00
export_csv_controller_spec.rb SECURITY: Prevent moderators from exporting admin-only reports via CSV 2026-03-31 15:12:45 +01:00
extra_locales_controller_spec.rb DEV: Refactor locale bundle loading (#37114) 2026-01-16 11:45:14 +00:00
finish_installation_controller_spec.rb DEV: Allow new instances to be set up directly with Discourse ID (#36731) 2025-12-23 12:13:36 -05:00
form_templates_controller_spec.rb DEV: Rename experimental_ upcoming change settings (#37589) 2026-02-10 10:34:37 +10:00
forums_controller_spec.rb FIX: improve "read only" modes (#33521) 2025-07-10 09:08:00 +02:00
groups_controller_spec.rb FIX: Ensure moderators do not clear group email domain (#39631) 2026-04-29 14:32:38 +08:00
hashtags_controller_spec.rb DEV: add tag hashtag data source style type (#33289) 2025-06-20 18:08:47 +04:00
highlightjs_controller_spec.rb DEV: Simplify CORS logic for public asset routes (#33106) 2025-06-09 08:58:27 +01:00
home_page_controller_spec.rb DEV: Add site description to crawler homepage view (#32845) 2025-05-22 08:33:59 +10:00
inline_onebox_controller_spec.rb SECURITY: Check topic visibility in Oneboxer even when categories match 2026-03-31 15:12:45 +01:00
invites_controller_spec.rb SECURITY: Gate staged user fields on email verification 2026-03-31 15:12:45 +01:00
list_controller_spec.rb FIX: Use resolved locale for localizations, instead of param+site default fallback (#39395) 2026-04-21 15:52:35 +08:00
metadata_controller_spec.rb SECURITY: Error responses missing Cache-Control header 2025-10-28 14:40:41 +08:00
nested_topics_controller_spec.rb FIX: Show suggested and related topics on nested replies view (#39473) 2026-04-23 12:05:20 -03:00
net_http_header_spec.rb DEV: Add a user agent to all HTTP requests that Discourse makes. (#31555) 2025-03-03 16:32:25 +11:00
net_http_timeout_spec.rb DEV: fix a large amount of typos (#37428) 2026-02-02 16:31:58 +11:00
noscript_escape_spec.rb
notifications_controller_spec.rb FIX: Hide badge notifications for disabled badges or when badges are disabled (#36987) 2026-01-07 15:28:43 +08:00
offline_controller_spec.rb
omniauth_callbacks_controller_spec.rb DEV: Fix invite-only OAuth signup bypass via non-invite origin routes (#38646) 2026-03-17 09:19:09 -05:00
onebox_controller_spec.rb SECURITY: prevent hidden profile data leak via user onebox 2026-03-19 15:21:28 +00:00
permalinks_controller_spec.rb SECURITY: prevent permalink redirects from leaking restricted slugs 2026-01-28 17:11:14 +00:00
post_action_users_controller_spec.rb SECURITY: hide total_rows for restricted post action types 2026-03-19 15:21:28 +00:00
post_actions_controller_spec.rb SECURITY: fix is_warning type coercion bypass in PostActionsController 2026-03-19 15:21:28 +00:00
post_localizations_controller_spec.rb FEATURE: Allow post authors to localize their own posts (#36178) 2025-11-25 11:02:22 +08:00
post_readers_controller_spec.rb SECURITY: Missing post-level authorization allows whisper metadata disclosure 2026-03-31 15:12:45 +01:00
posts_controller_spec.rb DEV: Fix a flake in post_controller spec (#39554) 2026-04-27 12:37:02 +02:00
presence_controller_spec.rb
published_pages_controller_spec.rb FIX: ensures only staff can check slugs (#37846) 2026-02-16 18:23:46 +01:00
push_notification_controller_spec.rb
qunit_controller_spec.rb DEV: Cache AssetProcessor code in development (#38036) 2026-02-25 11:24:41 +00:00
reviewable_claimed_topics_controller_spec.rb DEV: Convert ReviewableClaimedTopicsController#destroy response from 403 to 404 (#38339) 2026-03-06 15:39:51 -06:00
reviewable_notes_controller_spec.rb SECURITY: scope reviewable notes to user-visible reviewables 2026-02-26 12:22:54 +00:00
reviewables_controller_spec.rb DEV: Remove unused transition_to and transition_to_id from reviewable serializer (#37135) 2026-01-15 15:04:53 +08:00
robots_txt_controller_spec.rb
safe_mode_controller_spec.rb DEV: Compile 'common' CSS into own assets (#31416) 2025-05-01 10:44:49 +01:00
search_controller_spec.rb DEV: fix a large amount of typos (#37428) 2026-02-02 16:31:58 +11:00
session_controller_spec.rb FIX: clear push subscriptions on DiscourseConnect single-logout (#39353) 2026-04-17 16:16:39 -03:00
sidebar_sections_controller_spec.rb FIX: raise 404 when sidebar section doesn't exist (#37675) 2026-02-10 15:47:49 +01:00
similar_topics_controller_spec.rb
site_controller_spec.rb DEV: Gate read-restricted banner topics (#38496) 2026-03-11 08:14:57 -07:00
sitemap_controller_spec.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00
slugs_controller_spec.rb DEV: add shortcut fab!(:variable, :fabricator) to specs (#33577) 2025-07-11 11:16:34 -03:00
static_controller_spec.rb DEV: Move 4 upcoming changes to stable (#39066) 2026-04-07 10:05:49 +10:00
steps_controller_spec.rb UX: One step wizard (#36082) 2025-11-25 13:35:32 -05:00
stylesheets_controller_spec.rb DEV: Public color_scheme requests can disclose non-user-selectable theme color definitions and raw SCSS (#38497) 2026-03-11 07:56:27 -07:00
svg_sprite_controller_spec.rb DEV: enable raise_error in test envs for deprecated icons in svg_sprite.rb (#30980) 2025-02-04 21:21:20 +08:00
tag_groups_controller_spec.rb FIX: Prevent tag group from saving if private + no group selected (#39599) 2026-04-29 12:10:45 +08:00
tag_localizations_controller_spec.rb FIX: Clean localized tag names (#38488) 2026-03-12 12:54:50 +08:00
tags_controller_spec.rb FIX: Persist group default tag notification settings (#39369) 2026-04-27 11:40:06 +02:00
theme_javascripts_controller_spec.rb DEV: Use rollup for theme JS compilation (#33103) 2025-07-25 12:02:29 +01:00
topic_localizations_controller_spec.rb UX: Use inline title editor instead of composer when editing translation (#36847) 2025-12-24 00:56:36 +08:00
topic_view_stats_controller_spec.rb
topics_controller_spec.rb FIX: Skip third-party analytics tags in full app embed iframes (#39534) 2026-04-24 14:58:45 -03:00
uploads_controller_multisite_spec.rb FIX: Multisite prevent anons from downloading files (#37979) 2026-02-24 10:49:14 +10:00
uploads_controller_spec.rb FIX: Enforce content disposition on S3 presigned URLs (#38850) 2026-03-27 10:04:00 +08:00
user_actions_controller_spec.rb SECURITY: Enforce Guardian checks in UserActionsController#show 2026-03-19 15:21:28 +00:00
user_api_key_clients_controller_spec.rb FIX: Empty-scopes bypass allows untrusted client registration and downstream scope/redirect policy bypass (#37855) 2026-02-17 12:39:09 +11:00
user_api_keys_controller_spec.rb SECURITY: Validate auth_redirect in UserApiKeysController#new to prevent open redirect phishing 2026-03-19 15:21:28 +00:00
user_avatars_controller_spec.rb PERF: extract shared DiskCacheEviction utility for disk caches (#37842) 2026-02-16 12:24:38 +01:00
user_badges_controller_spec.rb FIX: enforces logged in, in badges actions (#37666) 2026-02-10 12:00:56 +01:00
user_status_controller_spec.rb FEATURE: Prevent silenced users from liking and using reactions (#37040) 2026-01-13 13:59:57 +01:00
users_controller_spec.rb FIX: allow my route for alphanumeric params (#39605) 2026-04-28 16:31:26 +04:00
users_email_controller_spec.rb FIX: enforces login for create in user emails controller (#37770) 2026-02-12 17:10:43 +01:00
webhooks_controller_spec.rb DEV: Silence expected error/debug output in core specs (#39247) 2026-04-14 11:04:10 +02:00
wizard_controller_spec.rb