From b1022566da98b5b58f08a1efc76daba345eac232 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 2 Jun 2025 09:55:20 -0400
Subject: [PATCH] fix: closes #13458, check if plugin is system

plugin before activate/deactive/install/uninstall
---
 public/language/en-GB/error.json |  1 +
 src/plugins/install.js           | 10 ++++++++++
 src/socket.io/admin/plugins.js   |  6 ++++++
 3 files changed, 17 insertions(+)

diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json
index 82a623ea32..ec51a88ead 100644
--- a/public/language/en-GB/error.json
+++ b/public/language/en-GB/error.json
@@ -271,6 +271,7 @@
 
 	"invalid-plugin-id": "Invalid plugin ID",
 	"plugin-not-whitelisted": "Unable to install plugin &ndash; only plugins whitelisted by the NodeBB Package Manager can be installed via the ACP",
+	"cannot-toggle-system-plugin": "You cannot toggle the state of a system plugin",
 	"plugin-installation-via-acp-disabled": "Plugin installation via ACP is disabled",
 	"plugins-set-in-configuration": "You are not allowed to change plugin state as they are defined at runtime (config.json, environmental variables or terminal arguments), please modify the configuration instead.",
 	"theme-not-set-in-configuration": "When defining active plugins in configuration, changing themes requires adding the new theme to the list of active plugins before updating it in the ACP",
diff --git a/src/plugins/install.js b/src/plugins/install.js
index 21d993226d..f3da1c3fb8 100644
--- a/src/plugins/install.js
+++ b/src/plugins/install.js
@@ -156,6 +156,16 @@ module.exports = function (Plugins) {
 		}
 	};
 
+	Plugins.isSystemPlugin = async function (id) {
+		const pluginDir = path.join(paths.nodeModules, id, 'plugin.json');
+		try {
+			const pluginData = JSON.parse(await fs.readFile(pluginDir, 'utf8'));
+			return pluginData && pluginData.system === true;
+		} catch (err) {
+			return false;
+		}
+	};
+
 	Plugins.isActive = async function (id) {
 		if (nconf.get('plugins:active')) {
 			return nconf.get('plugins:active').includes(id);
diff --git a/src/socket.io/admin/plugins.js b/src/socket.io/admin/plugins.js
index 4489be42bd..32f5ff61d0 100644
--- a/src/socket.io/admin/plugins.js
+++ b/src/socket.io/admin/plugins.js
@@ -11,6 +11,9 @@ const { pluginNamePattern } = require('../../constants');
 const Plugins = module.exports;
 
 Plugins.toggleActive = async function (socket, plugin_id) {
+	if (await plugins.isSystemPlugin(plugin_id)) {
+		throw new Error('[[error:cannot-toggle-system-plugin]]');
+	}
 	postsCache.reset();
 	const data = await plugins.toggleActive(plugin_id);
 	await events.log({
@@ -22,6 +25,9 @@ Plugins.toggleActive = async function (socket, plugin_id) {
 };
 
 Plugins.toggleInstall = async function (socket, data) {
+	if (await plugins.isSystemPlugin(data.id)) {
+		throw new Error('[[error:cannot-toggle-system-plugin]]');
+	}
 	const isInstalled = await plugins.isInstalled(data.id);
 	const isStarterPlan = nconf.get('saas_plan') === 'starter';
 	if ((isStarterPlan || nconf.get('acpPluginInstallDisabled')) && !isInstalled) {