2
0

fix(ui): enforce Explore button visibility via route guard
All checks were successful
Build and Release / Lint (push) Successful in 5m5s
Build and Release / Create Release (push) Successful in 0s
Build and Release / Build Binaries (amd64, linux, linux-latest) (push) Successful in 3m4s
Build and Release / Integration Tests (PostgreSQL) (push) Successful in 3m43s
Build and Release / Unit Tests (push) Successful in 4m13s
Build and Release / Build Binaries (amd64, windows, windows-latest) (push) Successful in 9h4m57s
Build and Release / Build Binaries (amd64, darwin, macos) (push) Successful in 8m14s
Build and Release / Build Binaries (arm64, darwin, macos) (push) Successful in 8m20s
Build and Release / Build Binary (linux/arm64) (push) Successful in 8m56s

- Add exploreAnonymousGuard middleware to redirect anonymous users when Explore is hidden
- Move enforcement from template to route level for better security
- Prevent direct URL access to /explore routes when feature is disabled
- Keep Explore button visible in navbar but make routes inaccessible

This prevents users from bypassing the UI restriction by directly accessing /explore URLs.
This commit is contained in:
2026-02-01 12:52:14 -05:00
parent 0259eed592
commit 5b4873a9ac
2 changed files with 8 additions and 3 deletions

View File

@@ -549,6 +549,13 @@ func registerWebRoutes(m *web.Router) {
m.Get("/-/web-theme/list", misc.WebThemeList)
m.Post("/-/web-theme/apply", optSignIn, misc.WebThemeApply)
exploreAnonymousGuard := func(ctx *context.Context) {
if ctx.Doer == nil && setting.Config().Theme.HideExploreButton.Value(ctx) {
ctx.Redirect(setting.AppSubURL + "/")
return
}
}
m.Group("/explore", func() {
m.Get("", func(ctx *context.Context) {
ctx.Redirect(setting.AppSubURL + "/explore/repos")
@@ -566,7 +573,7 @@ func registerWebRoutes(m *web.Router) {
}
}, explore.Code)
m.Get("/topics/search", explore.TopicSearch)
}, optExploreSignIn)
}, optExploreSignIn, exploreAnonymousGuard)
m.Group("/issues", func() {
m.Get("", user.Issues)

View File

@@ -30,9 +30,7 @@
<a class="item{{if .PageIsMilestonesDashboard}} active{{end}}" href="{{AppSubUrl}}/milestones">{{ctx.Locale.Tr "milestones"}}</a>
{{end}}
{{end}}
{{if not (.SystemConfig.Theme.HideExploreButton.Value ctx)}}
<a class="item{{if .PageIsExplore}} active{{end}}" href="{{AppSubUrl}}/explore/repos">{{ctx.Locale.Tr "explore_title"}}</a>
{{end}}
{{if .SystemConfig.Theme.APIHeaderURL.Value ctx}}
<a class="item" href="{{.SystemConfig.Theme.APIHeaderURL.Value ctx}}">{{ctx.Locale.Tr "api"}}</a>
{{end}}