FIX: Some badge routes were still working even with badges disabled

2024-11-27 03:10:46 -06:00 · 2017-11-21 12:22:24 -05:00 · 2017-11-21 12:22:24 -05:00 · 628275fc31
commit 628275fc31
parent 9444c31918
5 changed files with 35 additions and 4 deletions
--- a/app/controllers/user_badges_controller.rb
+++ b/app/controllers/user_badges_controller.rb
@ -1,4 +1,6 @@
 class UserBadgesController < ApplicationController
+  before_action :ensure_badges_enabled
+
  def index
    params.permit [:granted_before, :offset, :username]

@ -106,4 +108,8 @@ class UserBadgesController < ApplicationController
      master_api_call = current_user.nil? && is_api?
      master_api_call || guardian.can_grant_badges?(user)
    end
+
+    def ensure_badges_enabled
+      raise Discourse::NotFound unless SiteSetting.enable_badges?
+    end
 end
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -8,7 +8,7 @@ require_dependency 'admin_confirmation'
 class UsersController < ApplicationController

  skip_before_action :authorize_mini_profiler, only: [:avatar]
-  skip_before_action :check_xhr, only: [:show, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]
+  skip_before_action :check_xhr, only: [:show, :badges, :password_reset, :update, :account_created, :activate_account, :perform_account_activation, :user_preferences_redirect, :avatar, :my_redirect, :toggle_anon, :admin_login, :confirm_admin]

  before_action :ensure_logged_in, only: [:username, :update, :user_preferences_redirect, :upload_user_image,
                                          :pick_avatar, :destroy_user_image, :destroy, :check_emails, :topic_tracking_state]
@ -67,6 +67,7 @@ class UsersController < ApplicationController
      format.html do
        @restrict_fields = guardian.restrict_user_fields?(@user)
        store_preloaded("user_#{@user.username}", MultiJson.dump(user_serializer))
+        render :show
      end

      format.json do
@ -75,6 +76,11 @@ class UsersController < ApplicationController
    end
  end

+  def badges
+    raise Discourse::NotFound unless SiteSetting.enable_badges?
+    show
+  end
+
  def card_badge
  end

--- a/config/routes.rb
+++ b/config/routes.rb
@ -391,7 +391,7 @@ Discourse::Application.routes.draw do
    get "#{root_path}/:username/activity.rss" => "posts#user_posts_feed", format: :rss, constraints: { username: USERNAME_ROUTE_FORMAT }
    get "#{root_path}/:username/activity" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
    get "#{root_path}/:username/activity/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
-    get "#{root_path}/:username/badges" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
+    get "#{root_path}/:username/badges" => "users#badges", constraints: { username: USERNAME_ROUTE_FORMAT }
    get "#{root_path}/:username/notifications" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
    get "#{root_path}/:username/notifications/:filter" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
    get "#{root_path}/:username/activity/pending" => "users#show", constraints: { username: USERNAME_ROUTE_FORMAT }
--- a/spec/controllers/user_badges_controller_spec.rb
+++ b/spec/controllers/user_badges_controller_spec.rb
@ -5,19 +5,25 @@ describe UserBadgesController do
  let(:badge) { Fabricate(:badge) }

  context 'index' do
+    let(:badge) { Fabricate(:badge, target_posts: true, show_posts: false) }
    it 'does not leak private info' do
-      badge = Fabricate(:badge, target_posts: true, show_posts: false)
      p = create_post
      UserBadge.create(badge: badge, user: user, post_id: p.id, granted_by_id: -1, granted_at: Time.now)

      get :index, params: { badge_id: badge.id }, format: :json
-      expect(response.status).to eq(200)
+      expect(response).to be_success

      parsed = JSON.parse(response.body)
      expect(parsed["topics"]).to eq(nil)
      expect(parsed["badges"].length).to eq(1)
      expect(parsed["user_badge_info"]["user_badges"][0]["post_id"]).to eq(nil)
    end
+
+    it "fails when badges are disabled" do
+      SiteSetting.enable_badges = false
+      get :index, params: { badge_id: badge.id }, format: :json
+      expect(response).not_to be_success
+    end
  end

  context 'index' do
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -26,6 +26,19 @@ RSpec.describe UsersController do
    end
  end

+  describe "#badges" do
+    it "renders fine by default" do
+      get "/u/#{user.username}/badges"
+      expect(response).to be_success
+    end
+
+    it "fails if badges are disabled" do
+      SiteSetting.enable_badges = false
+      get "/u/#{user.username}/badges"
+      expect(response).not_to be_success
+    end
+  end
+
  describe "updating a user" do
    before do
      sign_in(user)