From 49f97d75b722f40a7dd41c3f69f1c36e15dbe66f Mon Sep 17 00:00:00 2001
From: Sam <sam.saffron@gmail.com>
Date: Thu, 23 Nov 2017 17:28:18 +1100
Subject: [PATCH] FIX: make uploads safe for block that can run later
---
app/controllers/uploads_controller.rb | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 65aa5e2b9ff..72b9fc98593 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -6,6 +6,9 @@ class UploadsController < ApplicationController
skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]
def create
+ # capture current user for block later on
+ me = current_user
+
# 50 characters ought to be enough for the upload type
type = params.require(:type).parameterize(separator: "_")[0..50]
@@ -19,12 +22,12 @@ class UploadsController < ApplicationController
for_private_message = params[:for_private_message] == "true"
if params[:synchronous] && (current_user.staff? || is_api?)
- data = create_upload(file, url, type, for_private_message, pasted)
+ data = create_upload(current_user, file, url, type, for_private_message, pasted)
render json: serialize_upload(data)
else
Scheduler::Defer.later("Create Upload") do
begin
- data = create_upload(file, url, type, for_private_message, pasted)
+ data = create_upload(me, file, url, type, for_private_message, pasted)
ensure
MessageBus.publish("/uploads/#{type}", serialize_upload(data), client_ids: [params[:client_id]])
end
@@ -80,7 +83,7 @@ class UploadsController < ApplicationController
raise Discourse::NotFound
end
- def create_upload(file, url, type, for_private_message, pasted)
+ def create_upload(current_user, file, url, type, for_private_message, pasted)
if file.nil?
if url.present? && is_api?
maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes