From 8fa1ce96ff4e83bd43ad873c6d8d0e8623e3a967 Mon Sep 17 00:00:00 2001
From: Christopher Giffard <christopher.giffard@cgiffard.com>
Date: Wed, 18 Sep 2013 12:31:43 +1000
Subject: [PATCH] Settings: Return 404 for unrecognised pages

Fixes #798

- Now checks the request URL against a whitelist to determine whether the settings
  page exists.

**Notes**

- This works in the short term, but a better solution for enumerating the available
  settings views or centralising a list of recognised views that are available
  to client side code, (the router and sidebar, among others) as well as the backend
  controller will be required.
---
 core/server/controllers/admin.js | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/core/server/controllers/admin.js b/core/server/controllers/admin.js
index 2d37e75d3b..7f2139bd0c 100644
--- a/core/server/controllers/admin.js
+++ b/core/server/controllers/admin.js
@@ -260,7 +260,17 @@ adminControllers = {
             adminNav: setSelected(adminNavbar, 'content')
         });
     },
-    'settings': function (req, res) {
+    'settings': function (req, res, next) {
+
+        // TODO: Centralise list/enumeration of settings panes, so we don't
+        // run into trouble in future.
+        var allowedSections = ["", "general", "user"],
+            section = req.url.replace(/(^\/ghost\/settings[\/]*|\/$)/ig, "");
+
+        if (allowedSections.indexOf(section) < 0) {
+            return next();
+        }
+
         res.render('settings', {
             bodyClass: 'settings',
             adminNav: setSelected(adminNavbar, 'settings')