IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: check admin theme cookie against user selectable

Browse Source 
previously admin got a free pass and could set theme via cookie to anything
including themes that are not selectable

this refactor ensures that only "preview" gets a free pass, all the rest
goes through the same pipeline
This commit is contained in:
Sam
2018-09-07 10:44:57 +10:00
parent c1c9637b39
commit 879067d000
4 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/guardian.rb
View File

@@ -364,10 +364,10 @@ class Guardian
UserExport.where(user_id: @user.id, created_at: (Time.zone.now.beginning_of_day..Time.zone.now.end_of_day)).count == 0
end
def allow_themes?(theme_ids)
def allow_themes?(theme_ids, include_preview: false)
return true if theme_ids.blank?
if is_staff? && (theme_ids - Theme.theme_ids).blank?
if include_preview && is_staff? && (theme_ids - Theme.theme_ids).blank?
return true
end