IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: check admin theme cookie against user selectable

Browse Source 
previously admin got a free pass and could set theme via cookie to anything
including themes that are not selectable

this refactor ensures that only "preview" gets a free pass, all the rest
goes through the same pipeline
This commit is contained in:
Sam
2018-09-07 10:44:57 +10:00
parent c1c9637b39
commit 879067d000
4 changed files with 22 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
spec/components/guardian_spec.rb
View File

@@ -2581,8 +2581,11 @@ describe Guardian do
let(:theme2) { Fabricate(:theme) }
it "allows staff to use any themes" do
expect(Guardian.new(moderator).allow_themes?([theme.id, theme2.id])).to eq(true)
expect(Guardian.new(admin).allow_themes?([theme.id, theme2.id])).to eq(true)
expect(Guardian.new(moderator).allow_themes?([theme.id, theme2.id])).to eq(false)
expect(Guardian.new(admin).allow_themes?([theme.id, theme2.id])).to eq(false)
expect(Guardian.new(moderator).allow_themes?([theme.id, theme2.id], include_preview: true)).to eq(true)
expect(Guardian.new(admin).allow_themes?([theme.id, theme2.id], include_preview: true)).to eq(true)
end
it "only allows normal users to use user-selectable themes or default theme" do