Return wizard locales according to wizard permissions

2020-11-23 11:11:13 +11:00 · 2020-11-23 11:11:13 +11:00 · 63a3115dda
Commit 63a3115dda
--- a/extensions/extra_locales_controller.rb
+++ b/extensions/extra_locales_controller.rb
@ -1,16 +1,11 @@
 module ExtraLocalesControllerCustomWizard
-  def show
-    if request.referer && URI(request.referer).path.include?('/w/')
-      bundle = params[:bundle]
-        
-      if params[:v]&.size == 32
-        hash = ::ExtraLocalesController.bundle_js_hash(bundle)
-        immutable_for(1.year) if hash == params[:v]
-      end
-      
-      render plain: ::ExtraLocalesController.bundle_js(bundle), content_type: "application/javascript"
-    else
-      super
+  private def valid_bundle?(bundle)
+    super || begin
+      return false unless bundle =~ /wizard/ && request.referer =~ /\/w\//
+      path = URI(request.referer).path
+      wizard_id = path.split('/w/').last
+      wizard = CustomWizard::Wizard.create(wizard_id.underscore, current_user)
+      wizard && wizard.can_access?
    end
  end
 end
--- a/spec/extensions/extra_locales_controller_spec.rb
+++ b/spec/extensions/extra_locales_controller_spec.rb
@ -1,26 +1,59 @@
 require 'rails_helper'

 describe ExtraLocalesControllerCustomWizard, type: :request do
+  let(:new_user) { Fabricate(:user, trust_level: TrustLevel[0]) }
+  let(:staff_user) { Fabricate(:moderator) }
+  
+  let(:template) {
+    JSON.parse(File.open(
+      "#{Rails.root}/plugins/discourse-custom-wizard/spec/fixtures/wizard.json"
+    ).read)
+  }
+  
+  let(:permitted) {
+    JSON.parse(File.open(
+      "#{Rails.root}/plugins/discourse-custom-wizard/spec/fixtures/wizard/permitted.json"
+    ).read)
+  }
+  
  before do
-    CustomWizard::Template.save(
-      JSON.parse(File.open(
-        "#{Rails.root}/plugins/discourse-custom-wizard/spec/fixtures/wizard.json"
-      ).read),
-    skip_jobs: true)
+    CustomWizard::Template.save(template, skip_jobs: true)
  end
  
  before do
-    @controller = ExtraLocalesController.new
+    js_hash = ExtraLocalesController.bundle_js_hash("wizard")
+    @locale_url = "#{Discourse.base_path}/extra-locales/wizard?v=#{js_hash}"
  end
  
-  it "returns locales when requested by wizard" do
-    @controller.request = ActionController::TestRequest.create(@controller.class)
-    @controller.request.env['HTTP_REFERER'] = "/w/super-mega-fun-wizard"
+  it "generates the correct wizard locale url" do
+    expect(ExtraLocalesController.url("wizard")).to eq(@locale_url)
+  end
  
-    expect(
-      ExtraLocalesController.url("wizard")
-    ).to eq(
-      "#{Discourse.base_path}/extra-locales/wizard?v=#{ExtraLocalesController.bundle_js_hash("wizard")}"
-    )
+  it "returns wizard locales when requested by user in wizard" do
+    sign_in(new_user)
+    
+    get @locale_url, headers: { 'REFERER' => "/w/super-mega-fun-wizard" }
+    expect(response.status).to eq(200)
+  end
+  
+  it "doesnt return wizard locales if user cant access wizard" do
+    template[:permitted] = permitted["permitted"]
+    CustomWizard::Template.save(template.as_json)
+    
+    sign_in(new_user)
+    get @locale_url, headers: { 'REFERER' => "/w/super-mega-fun-wizard" }
+    expect(response.status).to eq(403)
+  end
+  
+  it "doesnt return wizard locales to non-staff when requested outside of wizard" do
+    sign_in(new_user)
+    get @locale_url
+    expect(response.status).to eq(403)
+  end
+  
+  it "returns wizard locales to staff when requested outside of wizard" do
+    sign_in(staff_user)
+    get @locale_url
+    expect(response.status).to eq(200)
  end
 end