discourse/app/controllers/export_csv_controller.rb

# frozen_string_literal: true

class ExportCsvController < ApplicationController
  skip_before_action :preload_json, :check_xhr, only: [:show]

  def export_entity
    entity = export_params[:entity]
    entity_id = params.dig(:args, :export_user_id)&.to_i if entity == "user_archive"
    guardian.ensure_can_export_entity!(entity, entity_id)
    raise Discourse::InvalidParameters.new(:entity) unless entity.is_a?(String) && entity.size < 100

    (export_params[:args] || {}).each do |key, value|
      unless value.is_a?(String) && value.size < 100
        raise Discourse::InvalidParameters.new("args.#{key}")
      end
    end

    if entity == "user_archive"
      requesting_user_id = current_user.id if entity_id

      # Rate limit user archive exports to 1 per day
      unless current_user.admin ||
               UserExport.where(
                 user_id: entity_id || current_user.id,
                 created_at: (Time.zone.now.beginning_of_day..Time.zone.now.end_of_day),
               ).count == 0
        render_json_error I18n.t("csv_export.rate_limit_error")
        return
      end

      Jobs.enqueue(
        :export_user_archive,
        user_id: entity_id || current_user.id,
        requesting_user_id:,
        args: export_params[:args],
      )
    else
      Jobs.enqueue(
        :export_csv_file,
        entity: entity,
        user_id: current_user.id,
        args: export_params[:args],
      )
    end
    StaffActionLogger.new(current_user).log_entity_export(entity)
    render json: success_json
  rescue Discourse::InvalidAccess
    render_json_error I18n.t("csv_export.rate_limit_error")
  end

  def latest_user_archive
    user_id = params[:user_id].to_i
    # If we can't export the entity, we shouldn't be able to see it either
    guardian.ensure_can_export_entity!("user_archive", user_id)

    render json:
             UserExport
               .where(user_id:)
               .where("created_at > ?", UserExport::DESTROY_CREATED_BEFORE.ago)
               .order(created_at: :desc)
               .first
  end

  private

  def export_params
    @_export_params ||=
      begin
        params.require(:entity)
        params.permit(:entity, args: Report::FILTERS).to_h
      end
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 08:17:27 +10:00			`# frozen_string_literal: true`

FEATURE: download user posts archive 2014-12-22 21:47:04 +05:30			`class ExportCsvController < ApplicationController`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 12:06:56 +08:00			`skip_before_action :preload_json, :check_xhr, only: [:show]`
FEATURE: export user list 2014-08-09 15:58:57 +05:30
FEATURE: export csv for all the logs 2014-12-07 09:45:22 +05:30			`def export_entity`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-22 13:47:15 -06:00			`entity = export_params[:entity]`
FEATURE: Allow admins to export users (#30918) The GDPR requires all users to be able to export their data, or request an export of their data. This is fine for active users as we have a data export button on user profiles, but suspended users have no way of accessing the data export function, and the workaround for admins to export data for suspended users involves temporarily unsuspending them, then impersonating the user to export the data as them. Since suspended users no longer have access to their account, we can safely assume that the export request will be coming via a medium outside of Discourse (eg, email). This change is built with this workflow in mind. This change adds a new "User exports" section to the admin user page, allowing admins to start a new export, and to download the latest export file. 2025-01-24 08:13:25 +11:00			`entity_id = params.dig(:args, :export_user_id)&.to_i if entity == "user_archive"`
			`guardian.ensure_can_export_entity!(entity, entity_id)`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-22 13:47:15 -06:00			`raise Discourse::InvalidParameters.new(:entity) unless entity.is_a?(String) && entity.size < 100`
DEV: Switch to new ExportUserArchive job We now use the newly created job class from the previous commit. 2020-08-27 15:54:25 -07:00
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-22 13:47:15 -06:00			`(export_params[:args] \|\| {}).each do \|key, value\|`
			`unless value.is_a?(String) && value.size < 100`
			`raise Discourse::InvalidParameters.new("args.#{key}")`
			`end`
			`end`

			`if entity == "user_archive"`
FEATURE: Allow admins to export users (#30918) The GDPR requires all users to be able to export their data, or request an export of their data. This is fine for active users as we have a data export button on user profiles, but suspended users have no way of accessing the data export function, and the workaround for admins to export data for suspended users involves temporarily unsuspending them, then impersonating the user to export the data as them. Since suspended users no longer have access to their account, we can safely assume that the export request will be coming via a medium outside of Discourse (eg, email). This change is built with this workflow in mind. This change adds a new "User exports" section to the admin user page, allowing admins to start a new export, and to download the latest export file. 2025-01-24 08:13:25 +11:00			`requesting_user_id = current_user.id if entity_id`
FIX: Only apply the rate limit to user exports, not downloads (#30965) Follow-up to 7fc8d74f3eed52116add452b5321b41e02e04499. This change moves the guardian check for whether an export has been generated too recently to the endpoint handler, since we only want this check to apply when generating an export. 2025-01-24 09:37:05 +11:00
			`# Rate limit user archive exports to 1 per day`
			`unless current_user.admin \|\|`
			`UserExport.where(`
			`user_id: entity_id \|\| current_user.id,`
			`created_at: (Time.zone.now.beginning_of_day..Time.zone.now.end_of_day),`
			`).count == 0`
			`render_json_error I18n.t("csv_export.rate_limit_error")`
			`return`
			`end`

FEATURE: Allow admins to export users (#30918) The GDPR requires all users to be able to export their data, or request an export of their data. This is fine for active users as we have a data export button on user profiles, but suspended users have no way of accessing the data export function, and the workaround for admins to export data for suspended users involves temporarily unsuspending them, then impersonating the user to export the data as them. Since suspended users no longer have access to their account, we can safely assume that the export request will be coming via a medium outside of Discourse (eg, email). This change is built with this workflow in mind. This change adds a new "User exports" section to the admin user page, allowing admins to start a new export, and to download the latest export file. 2025-01-24 08:13:25 +11:00			`Jobs.enqueue(`
			`:export_user_archive,`
			`user_id: entity_id \|\| current_user.id,`
			`requesting_user_id:,`
			`args: export_params[:args],`
			`)`
DEV: Switch to new ExportUserArchive job We now use the newly created job class from the previous commit. 2020-08-27 15:54:25 -07:00			`else`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 12:20:10 +00:00			`Jobs.enqueue(`
			`:export_csv_file,`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-22 13:47:15 -06:00			`entity: entity,`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 12:20:10 +00:00			`user_id: current_user.id,`
			`args: export_params[:args],`
			`)`
DEV: Switch to new ExportUserArchive job We now use the newly created job class from the previous commit. 2020-08-27 15:54:25 -07:00			`end`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-22 13:47:15 -06:00			`StaffActionLogger.new(current_user).log_entity_export(entity)`
FEATURE: export screened IPs list in a CSV file 2014-11-21 20:55:04 +05:30			`render json: success_json`
FIX: better error message when forum is in read-only mode 2019-12-24 15:49:27 +05:30			`rescue Discourse::InvalidAccess`
fix the build. 2019-12-24 15:56:44 +05:30			`render_json_error I18n.t("csv_export.rate_limit_error")`
FEATURE: export screened IPs list in a CSV file 2014-11-21 20:55:04 +05:30			`end`

FEATURE: Allow admins to export users (#30918) The GDPR requires all users to be able to export their data, or request an export of their data. This is fine for active users as we have a data export button on user profiles, but suspended users have no way of accessing the data export function, and the workaround for admins to export data for suspended users involves temporarily unsuspending them, then impersonating the user to export the data as them. Since suspended users no longer have access to their account, we can safely assume that the export request will be coming via a medium outside of Discourse (eg, email). This change is built with this workflow in mind. This change adds a new "User exports" section to the admin user page, allowing admins to start a new export, and to download the latest export file. 2025-01-24 08:13:25 +11:00			`def latest_user_archive`
			`user_id = params[:user_id].to_i`
			`# If we can't export the entity, we shouldn't be able to see it either`
			`guardian.ensure_can_export_entity!("user_archive", user_id)`

			`render json:`
			`UserExport`
			`.where(user_id:)`
			`.where("created_at > ?", UserExport::DESTROY_CREATED_BEFORE.ago)`
			`.order(created_at: :desc)`
			`.first`
			`end`

FEATURE: export dashboard reports to csv file 2015-09-15 16:45:01 -04:00			`private`
FEATURE: Watched words improvements (#7899) This commit contains 3 features: - FEATURE: Allow downloading watched words This introduces a button that allows admins to download watched words per action in a `.txt` file. - FEATURE: Allow clearing watched words in bulk This adds a "Clear All" button that clears all deleted words per action (e.g. block, flag etc.) - FEATURE: List all blocked words contained in the post when it's blocked When a post is rejected because it contains one or more blocked words, the error message now lists all the blocked words contained in the post. ------- This also changes the format of the file for importing watched words from `.csv` to `.txt` so it becomes inconsistent with the extension of the file when watched words are exported. 2019-07-22 14:59:56 +03:00
Make rubocop happy again. 2018-06-07 13:28:18 +08:00			`def export_params`
DEV: Apply syntax_tree formatting to `app/*` 2023-01-09 12:20:10 +00:00			`@_export_params \|\|=`
			`begin`
			`params.require(:entity)`
			`params.permit(:entity, args: Report::FILTERS).to_h`
			`end`
Make rubocop happy again. 2018-06-07 13:28:18 +08:00			`end`
FEATURE: export user list 2014-08-09 15:58:57 +05:30			`end`