Discourse/discourse
Discourse/discourse
0
0
Fork 0
mirror of https://gh.wpcy.net/https://github.com/discourse/discourse.git synced 2026-05-03 00:20:04 +08:00
Code Packages Activity Actions
discourse/plugins/discourse-templates/app
History
Exact
Alan Guo Xiang Tan c9391cdc75
FIX: Check topic visibility in templates use action (#37980) 
What is the problem?

- The discourse-templates plugin lets users mark topics as
  templates and track usage counts via `TemplatesController#use`
- The `use` action checks that the caller is logged in and passes the
  global `can_use_templates?` gate, then verifies the topic is a valid
  template via `Topic#template?`
- However, `Topic#template?` for category templates only checks whether
  the topic's category is in the configured template categories list —
  it does not check whether the calling user can see that category
- If an admin configures both a public and a restricted category as
  template sources, a regular user with access to the public category
  passes the global gate and can then call the `use` endpoint with a
  topic ID from the restricted category and succeed

What is the solution?

- Add `guardian.ensure_can_see!(topic)` to `TemplatesController#use`
2026-02-23 16:18:17 +08:00
..
controllers/discourse_templates FIX: Check topic visibility in templates use action (#37980) 2026-02-23 16:18:17 +08:00
models/discourse_templates
serializers/discourse_templates