From 04760132e9a43ca1bf36ba5e0af659eeca332b16 Mon Sep 17 00:00:00 2001
From: Kevin Ansfield <kevin@lookingsideways.co.uk>
Date: Tue, 20 Apr 2021 17:08:54 +0100
Subject: [PATCH] Moved payment settings access control to route

no issue

- having owner-only access control in the template meant the route was accessible but would show a blank page
- updated access control in the `members-payments` route to redirect admins to the settings index screen and non-admins to the default home screen
---
 .../app/controllers/settings/members-payments.js    |  1 -
 ghost/admin/app/routes/settings/members-payments.js | 13 ++++++++-----
 .../app/templates/settings/members-payments.hbs     |  5 -----
 3 files changed, 8 insertions(+), 11 deletions(-)

diff --git a/ghost/admin/app/controllers/settings/members-payments.js b/ghost/admin/app/controllers/settings/members-payments.js
index a0cc6295ca..cf6c9fcc15 100644
--- a/ghost/admin/app/controllers/settings/members-payments.js
+++ b/ghost/admin/app/controllers/settings/members-payments.js
@@ -4,7 +4,6 @@ import {inject as service} from '@ember/service';
 import {task} from 'ember-concurrency';
 
 export default Controller.extend({
-    session: service(),
     settings: service(),
 
     actions: {
diff --git a/ghost/admin/app/routes/settings/members-payments.js b/ghost/admin/app/routes/settings/members-payments.js
index f9579bae4b..117431f662 100644
--- a/ghost/admin/app/routes/settings/members-payments.js
+++ b/ghost/admin/app/routes/settings/members-payments.js
@@ -1,8 +1,7 @@
 import AuthenticatedRoute from 'ghost-admin/routes/authenticated';
-import CurrentUserSettings from 'ghost-admin/mixins/current-user-settings';
 import {inject as service} from '@ember/service';
 
-export default AuthenticatedRoute.extend(CurrentUserSettings, {
+export default AuthenticatedRoute.extend({
     settings: service(),
     notifications: service(),
     queryParams: {
@@ -16,9 +15,13 @@ export default AuthenticatedRoute.extend(CurrentUserSettings, {
 
     beforeModel() {
         this._super(...arguments);
-        return this.get('session.user')
-            .then(this.transitionAuthor())
-            .then(this.transitionEditor());
+        return this.get('session.user').then((user) => {
+            if (!user.isOwner && user.isAdmin) {
+                return this.transitionTo('settings');
+            } else if (!user.isOwner) {
+                return this.transitionTo('home');
+            }
+        });
     },
 
     model() {
diff --git a/ghost/admin/app/templates/settings/members-payments.hbs b/ghost/admin/app/templates/settings/members-payments.hbs
index 520169ea16..d3cb3871f7 100644
--- a/ghost/admin/app/templates/settings/members-payments.hbs
+++ b/ghost/admin/app/templates/settings/members-payments.hbs
@@ -17,16 +17,11 @@
     </GhCanvasHeader>
 
     <section class="view-container settings-debug">
-
-        {{#if this.session.user.isOwner}}
         <div class="gh-setting-liquid-section">
             <GhMembersPaymentsSetting
                 @setDefaultContentVisibility={{action "setDefaultContentVisibility"}}
                 @setStripeConnectIntegrationTokenSetting={{action "setStripeConnectIntegrationTokenSetting"}}
             />
         </div>
-
-        {{/if}}
-
     </section>
 </section>
\ No newline at end of file