From 5b4873a9ace3a1d68225d36f50df0204e1c78cc5 Mon Sep 17 00:00:00 2001 From: logikonline Date: Sun, 1 Feb 2026 12:52:14 -0500 Subject: [PATCH] fix(ui): enforce Explore button visibility via route guard - Add exploreAnonymousGuard middleware to redirect anonymous users when Explore is hidden - Move enforcement from template to route level for better security - Prevent direct URL access to /explore routes when feature is disabled - Keep Explore button visible in navbar but make routes inaccessible This prevents users from bypassing the UI restriction by directly accessing /explore URLs. --- routers/web/web.go | 9 ++++++++- templates/base/head_navbar.tmpl | 2 -- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/routers/web/web.go b/routers/web/web.go index 9f9e73becd..039e6785f0 100644 --- a/routers/web/web.go +++ b/routers/web/web.go @@ -549,6 +549,13 @@ func registerWebRoutes(m *web.Router) { m.Get("/-/web-theme/list", misc.WebThemeList) m.Post("/-/web-theme/apply", optSignIn, misc.WebThemeApply) + exploreAnonymousGuard := func(ctx *context.Context) { + if ctx.Doer == nil && setting.Config().Theme.HideExploreButton.Value(ctx) { + ctx.Redirect(setting.AppSubURL + "/") + return + } + } + m.Group("/explore", func() { m.Get("", func(ctx *context.Context) { ctx.Redirect(setting.AppSubURL + "/explore/repos") @@ -566,7 +573,7 @@ func registerWebRoutes(m *web.Router) { } }, explore.Code) m.Get("/topics/search", explore.TopicSearch) - }, optExploreSignIn) + }, optExploreSignIn, exploreAnonymousGuard) m.Group("/issues", func() { m.Get("", user.Issues) diff --git a/templates/base/head_navbar.tmpl b/templates/base/head_navbar.tmpl index fef72f212d..862465f8c5 100644 --- a/templates/base/head_navbar.tmpl +++ b/templates/base/head_navbar.tmpl @@ -30,9 +30,7 @@ {{ctx.Locale.Tr "milestones"}} {{end}} {{end}} - {{if not (.SystemConfig.Theme.HideExploreButton.Value ctx)}} {{ctx.Locale.Tr "explore_title"}} - {{end}} {{if .SystemConfig.Theme.APIHeaderURL.Value ctx}} {{ctx.Locale.Tr "api"}} {{end}}