discourse/app/controllers/export_csv_controller.rb

# frozen_string_literal: true

class ExportCsvController < ApplicationController
  skip_before_action :preload_json, :check_xhr, only: [:show]

  def export_entity
    guardian.ensure_can_export_entity!(export_params[:entity])
    entity = export_params[:entity]
    raise Discourse::InvalidParameters.new(:entity) unless entity.is_a?(String) && entity.size < 100

    (export_params[:args] || {}).each do |key, value|
      unless value.is_a?(String) && value.size < 100
        raise Discourse::InvalidParameters.new("args.#{key}")
      end
    end

    if entity == "user_archive"
      Jobs.enqueue(:export_user_archive, user_id: current_user.id, args: export_params[:args])
    else
      Jobs.enqueue(
        :export_csv_file,
        entity: entity,
        user_id: current_user.id,
        args: export_params[:args],
      )
    end
    StaffActionLogger.new(current_user).log_entity_export(entity)
    render json: success_json
  rescue Discourse::InvalidAccess
    render_json_error I18n.t("csv_export.rate_limit_error")
  end

  private

  def export_params
    @_export_params ||=
      begin
        params.require(:entity)
        params.permit(:entity, args: Report::FILTERS).to_h
      end
  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-03 06:17:27 +08:00			`# frozen_string_literal: true`

FEATURE: download user posts archive 2014-12-23 00:17:04 +08:00			`class ExportCsvController < ApplicationController`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 12:06:56 +08:00			`skip_before_action :preload_json, :check_xhr, only: [:show]`
FEATURE: export user list 2014-08-09 18:28:57 +08:00
FEATURE: export csv for all the logs 2014-12-07 12:15:22 +08:00			`def export_entity`
SECURITY: Validate the `entity` when downloading a CSV 2017-05-20 03:59:37 +08:00			`guardian.ensure_can_export_entity!(export_params[:entity])`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-23 03:47:15 +08:00			`entity = export_params[:entity]`
			`raise Discourse::InvalidParameters.new(:entity) unless entity.is_a?(String) && entity.size < 100`
DEV: Switch to new ExportUserArchive job We now use the newly created job class from the previous commit. 2020-08-28 06:54:25 +08:00
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-23 03:47:15 +08:00			`(export_params[:args] \|\| {}).each do \|key, value\|`
			`unless value.is_a?(String) && value.size < 100`
			`raise Discourse::InvalidParameters.new("args.#{key}")`
			`end`
			`end`

			`if entity == "user_archive"`
DEV: Switch to new ExportUserArchive job We now use the newly created job class from the previous commit. 2020-08-28 06:54:25 +08:00			`Jobs.enqueue(:export_user_archive, user_id: current_user.id, args: export_params[:args])`
			`else`
			`Jobs.enqueue(`
			`:export_csv_file,`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-23 03:47:15 +08:00			`entity: entity,`
DEV: Switch to new ExportUserArchive job We now use the newly created job class from the previous commit. 2020-08-28 06:54:25 +08:00			`user_id: current_user.id,`
			`args: export_params[:args],`
			`)`
			`end`
SECURITY: Prevent large staff actions causing DoS This commit operates at three levels of abstraction: 1. We want to prevent user history rows from being unbounded in size. This commit adds rails validations to limit the sizes of columns on user_histories, 2. However, we don't want to prevent certain actions from being completed if these columns are too long. In those cases, we truncate the values that are given and store the truncated versions, 3. For endpoints that perform staff actions, we can further control what is permitted by explicitly validating the params that are given before attempting the action, 2024-02-23 03:47:15 +08:00			`StaffActionLogger.new(current_user).log_entity_export(entity)`
FEATURE: export screened IPs list in a CSV file 2014-11-21 23:25:04 +08:00			`render json: success_json`
FIX: better error message when forum is in read-only mode 2019-12-24 18:19:27 +08:00			`rescue Discourse::InvalidAccess`
fix the build. 2019-12-24 18:26:44 +08:00			`render_json_error I18n.t("csv_export.rate_limit_error")`
FEATURE: export screened IPs list in a CSV file 2014-11-21 23:25:04 +08:00			`end`

FEATURE: export dashboard reports to csv file 2015-09-16 04:45:01 +08:00			`private`
FEATURE: Watched words improvements (#7899) This commit contains 3 features: - FEATURE: Allow downloading watched words This introduces a button that allows admins to download watched words per action in a `.txt` file. - FEATURE: Allow clearing watched words in bulk This adds a "Clear All" button that clears all deleted words per action (e.g. block, flag etc.) - FEATURE: List all blocked words contained in the post when it's blocked When a post is rejected because it contains one or more blocked words, the error message now lists all the blocked words contained in the post. ------- This also changes the format of the file for importing watched words from `.csv` to `.txt` so it becomes inconsistent with the extension of the file when watched words are exported. 2019-07-22 19:59:56 +08:00
FEATURE: export dashboard reports to csv file 2015-09-16 04:45:01 +08:00			`def export_params`
			`@_export_params \|\|=`
			`begin`
			`params.require(:entity)`
FIX: Use include-subcategories filter in report export (#10007) Some filters were renamed and the conversion of the filter names and arguments was removed. 2020-06-10 23:57:39 +08:00			`params.permit(:entity, args: Report::FILTERS).to_h`
FEATURE: export dashboard reports to csv file 2015-09-16 04:45:01 +08:00			`end`
Make rubocop happy again. 2018-06-07 13:28:18 +08:00			`end`
FEATURE: export user list 2014-08-09 18:28:57 +08:00			`end`