FIX: ensure extra locales are only available to staff

FIX: ensure extra locales are only available to staff

diff --git a/app/controllers/extra_locales_controller.rb b/app/controllers/extra_locales_controller.rb
index 9083af9..43560c8 100644
--- a/app/controllers/extra_locales_controller.rb
+++ b/app/controllers/extra_locales_controller.rb
@@ -1,7 +1,6 @@
 # frozen_string_literal: true
 
 class ExtraLocalesController < ApplicationController
-
   layout :false
 
   skip_before_action :check_xhr,
@@ -11,13 +10,14 @@ class ExtraLocalesController < ApplicationController
 
   def show
     bundle = params[:bundle]
-    raise Discourse::InvalidAccess.new unless bundle =~ /^(admin|wizard)$/
-    if params[:v] && params[:v].length == 32
+
+    raise Discourse::InvalidAccess.new if bundle !~ /^(admin|wizard)$/ || !current_user&.staff?
+
+    if params[:v]&.size == 32
       hash = ExtraLocalesController.bundle_js_hash(bundle)
-      if hash == params[:v]
-        immutable_for 24.hours
-      end
+      immutable_for(24.hours) if hash == params[:v]
     end
+
     render plain: ExtraLocalesController.bundle_js(bundle), content_type: "application/javascript"
   end
 
diff --git a/spec/requests/extra_locales_controller_spec.rb b/spec/requests/extra_locales_controller_spec.rb
index c2aaee6..551dced 100644
--- a/spec/requests/extra_locales_controller_spec.rb
+++ b/spec/requests/extra_locales_controller_spec.rb
@@ -4,16 +4,10 @@ require 'rails_helper'
 
 describe ExtraLocalesController do
   context 'show' do
-    it "caches for 24 hours if version is provided and it matches current hash" do
-      get "/extra-locales/admin", params: { v: ExtraLocalesController.bundle_js_hash('admin') }
-      expect(response.status).to eq(200)
-      expect(response.headers["Cache-Control"]).to eq("max-age=86400, public, immutable")
-    end
 
-    it "does not cache at all if version is invalid" do
-      get "/extra-locales/admin", params: { v: 'a' * 32 }
-      expect(response.status).to eq(200)
-      expect(response.headers["Cache-Control"]).not_to eq("max-age=86400, public, immutable")
+    it "won't work with a weird parameter" do
+      get "/extra-locales/-invalid..character!!"
+      expect(response.status).to eq(404)
     end
 
     it "needs a valid bundle" do
@@ -21,36 +15,56 @@ describe ExtraLocalesController do
       expect(response.status).to eq(403)
     end
 
-    it "won't work with a weird parameter" do
-      get "/extra-locales/-invalid..character!!"
-      expect(response.status).to eq(404)
+    it "requires staff access" do
+      get "/extra-locales/admin"
+      expect(response.status).to eq(403)
+
+      get "/extra-locales/wizard"
+      expect(response.status).to eq(403)
     end
 
-    context "with plugin" do
-      before do
-        JsLocaleHelper.clear_cache!
-        JsLocaleHelper.expects(:plugin_translations)
-          .with(any_of("en", "en_US"))
-          .returns("admin_js" => {
-            "admin" => {
-              "site_settings" => {
-                "categories" => {
-                  "github_badges" => "Github Badges"
-                }
-              }
-            }
-          }).at_least_once
-      end
+    context "logged in as a moderator" do
 
-      after do
-        JsLocaleHelper.clear_cache!
-      end
+      let(:moderator) { Fabricate(:moderator) }
+      before { sign_in(moderator) }
 
-      it "includes plugin translations" do
-        get "/extra-locales/admin"
+      it "caches for 24 hours if version is provided and it matches current hash" do
+        get "/extra-locales/admin", params: { v: ExtraLocalesController.bundle_js_hash('admin') }
+        expect(response.status).to eq(200)
+        expect(response.headers["Cache-Control"]).to eq("max-age=86400, public, immutable")
+      end
 
+      it "does not cache at all if version is invalid" do
+        get "/extra-locales/admin", params: { v: 'a' * 32 }
         expect(response.status).to eq(200)
-        expect(response.body.include?("github_badges")).to eq(true)
+        expect(response.headers["Cache-Control"]).not_to eq("max-age=86400, public, immutable")
+      end
+
+      context "with plugin" do
+        before do
+          JsLocaleHelper.clear_cache!
+          JsLocaleHelper.expects(:plugin_translations)
+            .with(any_of("en", "en_US"))
+            .returns("admin_js" => {
+              "admin" => {
+                "site_settings" => {
+                  "categories" => {
+                    "github_badges" => "Github Badges"
+                  }
+                }
+              }
+            }).at_least_once
+        end
+
+        after do
+          JsLocaleHelper.clear_cache!
+        end
+
+        it "includes plugin translations" do
+          get "/extra-locales/admin"
+          expect(response.status).to eq(200)
+          expect(response.body.include?("github_badges")).to eq(true)
+        end
       end
     end
   end

GitHub sha: 53667a01