From 63a3115dda5d9c524b18d65a92c40f598f0c1495 Mon Sep 17 00:00:00 2001 From: Angus McLeod Date: Mon, 23 Nov 2020 11:11:13 +1100 Subject: [PATCH] Return wizard locales according to wizard permissions --- extensions/extra_locales_controller.rb | 19 +++--- .../extra_locales_controller_spec.rb | 63 ++++++++++++++----- 2 files changed, 55 insertions(+), 27 deletions(-) diff --git a/extensions/extra_locales_controller.rb b/extensions/extra_locales_controller.rb index 31a9f488..4a1993b7 100644 --- a/extensions/extra_locales_controller.rb +++ b/extensions/extra_locales_controller.rb @@ -1,16 +1,11 @@ module ExtraLocalesControllerCustomWizard - def show - if request.referer && URI(request.referer).path.include?('/w/') - bundle = params[:bundle] - - if params[:v]&.size == 32 - hash = ::ExtraLocalesController.bundle_js_hash(bundle) - immutable_for(1.year) if hash == params[:v] - end - - render plain: ::ExtraLocalesController.bundle_js(bundle), content_type: "application/javascript" - else - super + private def valid_bundle?(bundle) + super || begin + return false unless bundle =~ /wizard/ && request.referer =~ /\/w\// + path = URI(request.referer).path + wizard_id = path.split('/w/').last + wizard = CustomWizard::Wizard.create(wizard_id.underscore, current_user) + wizard && wizard.can_access? end end end \ No newline at end of file diff --git a/spec/extensions/extra_locales_controller_spec.rb b/spec/extensions/extra_locales_controller_spec.rb index e12b5f04..3fe02be4 100644 --- a/spec/extensions/extra_locales_controller_spec.rb +++ b/spec/extensions/extra_locales_controller_spec.rb @@ -1,26 +1,59 @@ require 'rails_helper' describe ExtraLocalesControllerCustomWizard, type: :request do + let(:new_user) { Fabricate(:user, trust_level: TrustLevel[0]) } + let(:staff_user) { Fabricate(:moderator) } + + let(:template) { + JSON.parse(File.open( + "#{Rails.root}/plugins/discourse-custom-wizard/spec/fixtures/wizard.json" + ).read) + } + + let(:permitted) { + JSON.parse(File.open( + "#{Rails.root}/plugins/discourse-custom-wizard/spec/fixtures/wizard/permitted.json" + ).read) + } + before do - CustomWizard::Template.save( - JSON.parse(File.open( - "#{Rails.root}/plugins/discourse-custom-wizard/spec/fixtures/wizard.json" - ).read), - skip_jobs: true) + CustomWizard::Template.save(template, skip_jobs: true) end before do - @controller = ExtraLocalesController.new + js_hash = ExtraLocalesController.bundle_js_hash("wizard") + @locale_url = "#{Discourse.base_path}/extra-locales/wizard?v=#{js_hash}" end - it "returns locales when requested by wizard" do - @controller.request = ActionController::TestRequest.create(@controller.class) - @controller.request.env['HTTP_REFERER'] = "/w/super-mega-fun-wizard" - - expect( - ExtraLocalesController.url("wizard") - ).to eq( - "#{Discourse.base_path}/extra-locales/wizard?v=#{ExtraLocalesController.bundle_js_hash("wizard")}" - ) + it "generates the correct wizard locale url" do + expect(ExtraLocalesController.url("wizard")).to eq(@locale_url) + end + + it "returns wizard locales when requested by user in wizard" do + sign_in(new_user) + + get @locale_url, headers: { 'REFERER' => "/w/super-mega-fun-wizard" } + expect(response.status).to eq(200) + end + + it "doesnt return wizard locales if user cant access wizard" do + template[:permitted] = permitted["permitted"] + CustomWizard::Template.save(template.as_json) + + sign_in(new_user) + get @locale_url, headers: { 'REFERER' => "/w/super-mega-fun-wizard" } + expect(response.status).to eq(403) + end + + it "doesnt return wizard locales to non-staff when requested outside of wizard" do + sign_in(new_user) + get @locale_url + expect(response.status).to eq(403) + end + + it "returns wizard locales to staff when requested outside of wizard" do + sign_in(staff_user) + get @locale_url + expect(response.status).to eq(200) end end \ No newline at end of file