Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-28 01:19:30 +08:00
Code Packages Activity Actions
discourse/spec/requests/admin
History
Exact
Régis Hanol 9892628a50 SECURITY: Restrict staff action logs visibility for moderators 
Previously, moderators had full access to all staff action logs, which
exposed sensitive information including webhook secrets, API keys, site
settings, private messages, and restricted categories.

This change implements an allowlist approach where moderators can only
see actions relevant to their role (user management, posts, topics,
badges, etc.) while admin-only actions (site settings, webhooks, API
keys, themes, etc.) are hidden.

Additionally, content-level redaction ensures moderators cannot see
details of logs referencing private topics, restricted categories, or
deleted content they don't have access to.

Site setting gates control visibility of category, trust level, and
email actions based on existing moderator permission settings.

Ref - t/171137
2026-01-28 17:11:14 +00:00
..
config FEATURE: Discourse ID setting page (#36316) 2025-12-11 16:04:09 +01:00
admin_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
api_controller_spec.rb DEV: Add API scopes for post revisions (#26183) 2024-03-14 15:24:54 -06:00
backups_controller_spec.rb FIX: improve "read only" modes (#33521) 2025-07-10 09:08:00 +02:00
badges_controller_spec.rb FIX: Don't overwrite translated titles when updating badge (#33731) 2025-07-23 15:46:00 +08:00
color_schemes_controller_spec.rb FEATURE: Allow editing theme-owned palettes (#34722) 2025-10-06 09:02:39 +03:00
dashboard_controller_spec.rb DEV: Update rubocop-discourse to 3.13 and autofix issues (#35073) 2025-10-06 16:11:01 +02:00
email_controller_spec.rb FIX: disable smtp_should_reject code 2025-11-25 10:34:35 -05:00
email_logs_controller_spec.rb FIX: bug when skipped email logs are filtered (#33557) 2025-07-11 08:55:51 +08:00
email_styles_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
email_templates_controller_spec.rb FIX: Filter restricted email template keys from site text search (#36857) 2025-12-24 14:33:37 +01:00
embeddable_hosts_controller_spec.rb FEATURE: Extend embeddable hosts with Individual tags and author assignments (#26868) 2024-05-16 15:47:01 -04:00
embedding_controller_spec.rb UX: admins embedding page follows admin ux guideline (#30122) 2025-01-06 13:01:08 +11:00
emojis_controller_spec.rb DEV: Move admin config pages out of /customize/ sub-route (#30511) 2025-01-02 09:13:11 +10:00
form_templates_controller_spec.rb DEV: Fix flaky test for form template (#33960) 2025-07-30 13:55:26 +10:00
groups_controller_spec.rb FEATURE: Split setting for allowing mods to manage categories and groups (#35174) 2025-10-06 10:43:42 +03:00
impersonate_controller_spec.rb DEV: Allow impersonation without session swapping (#34213) 2025-08-21 14:18:15 +08:00
permalinks_controller_spec.rb FIX: Permalink.create didn't work as expected anymore (#29895) 2024-11-22 21:11:26 +01:00
plugins_controller_spec.rb FIX: Don't allow access to plugin page if plugin is not visible (#26431) 2024-04-02 16:26:15 +03:00
reports_controller_spec.rb FEATURE: Add admin-only reports and centralize report visibility logic 2026-01-28 17:11:14 +00:00
robots_txt_controller_spec.rb FIX: Show true content of robots.txt after restoring to default (#24980) 2023-12-20 23:00:37 +03:00
screened_emails_controller_spec.rb SECURITY: Moderators cannot see user emails. 2024-12-19 13:13:18 -03:00
screened_ip_addresses_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
screened_urls_controller_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
search_controller_spec.rb FIX: Default Locale site setting not included in admin search (#34562) 2025-08-27 13:03:44 +08:00
search_logs_spec.rb DEV: Allow fab! without block (#24314) 2023-11-09 16:47:59 -06:00
site_settings_controller_spec.rb DEV: Deprecate the assignment of nil to site settings (#36093) 2025-12-01 15:04:23 +08:00
site_texts_controller_spec.rb UX: remove footer-messages (#36874) 2026-01-02 13:59:16 +01:00
staff_action_logs_controller_spec.rb SECURITY: Restrict staff action logs visibility for moderators 2026-01-28 17:11:14 +00:00
themes_controller_spec.rb DEV: Remove dual mode support for palettes and drop theme-owned palettes (#34467) 2025-08-26 06:24:11 +03:00
unknown_reviewables_controller_spec.rb DEV: Remove unnecessary rails_helper requires (#33812) 2025-07-24 13:50:04 +02:00
user_fields_controller_spec.rb FEATURE: Allow hiding user fields on signup form (#34672) 2025-09-15 10:42:07 +08:00
users_controller_spec.rb FEATURE: Add background job and ability to delete posts from suspend user modal (#36813) 2026-01-07 10:25:01 -06:00
versions_controller_spec.rb FEATURE: call hub API to update Discourse discover enrollment. (#25634) 2024-02-23 11:42:28 +05:30
watched_words_controller_spec.rb FIX: Ensure uploaded watched word CSVs are converted to utf-8. (#32263) 2025-04-11 16:12:45 +10:00
web_hooks_controller_spec.rb DEV: Add a user agent to all HTTP requests that Discourse makes. (#31555) 2025-03-03 16:32:25 +11:00