github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-29 06:53:39 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Provide better API for registering custom upload public types (#10697)

Browse Source 
With secure media and the UploadSecurity class, we need a nice way for plugins to register custom upload types that should be considered public and never secure.
This commit is contained in:
Martin Brennan 2020-09-18 11:54:33 +10:00 committed by GitHub
parent 22181f59ab
commit 14b324e5ed
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 27 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
lib/upload_security.rb
View File

@ -14,10 +14,21 @@
# on the current secure? status, otherwise there would be a lot of additional # on the current secure? status, otherwise there would be a lot of additional
# complex queries and joins to perform. # complex queries and joins to perform.
class UploadSecurity class UploadSecurity
@@custom_public_types = []
PUBLIC_TYPES = %w[ PUBLIC_TYPES = %w[
avatar custom_emoji profile_background card_background category_logo category_background avatar
custom_emoji
profile_background
card_background
category_logo
category_background
] ]
def self.register_custom_public_type(type)
@@custom_public_types << type if !@@custom_public_types.include?(type)
end
def initialize(upload, opts = {}) def initialize(upload, opts = {})
@upload = upload @upload = upload
@opts = opts @opts = opts
@ -30,8 +41,6 @@ class UploadSecurity
uploading_in_secure_context? uploading_in_secure_context?
end end
private
def uploading_in_public_context? def uploading_in_public_context?
@upload.for_theme || @upload.for_theme ||
@upload.for_site_setting || @upload.for_site_setting ||
@ -49,6 +58,8 @@ class UploadSecurity
uploading_in_composer? || @upload.for_private_message || @upload.for_group_message || @upload.secure? uploading_in_composer? || @upload.for_private_message || @upload.for_group_message || @upload.secure?
end end
private
# whether the upload should remain secure or not after posting depends on its context, # whether the upload should remain secure or not after posting depends on its context,
# which is based on the post it is linked to via access_control_post_id. # which is based on the post it is linked to via access_control_post_id.
# if that post is with_secure_media? then the upload should also be secure. # if that post is with_secure_media? then the upload should also be secure.
@ -62,7 +73,7 @@ class UploadSecurity
end end
def public_type? def public_type?
PUBLIC_TYPES.include?(@upload_type) PUBLIC_TYPES.include?(@upload_type) || @@custom_public_types.include?(@upload_type)
end end
def uploading_in_composer? def uploading_in_composer?

12
spec/lib/upload_security_spec.rb
View File

@ -64,6 +64,18 @@ RSpec.describe UploadSecurity do
expect(subject.should_be_secure?).to eq(false) expect(subject.should_be_secure?).to eq(false)
end end
end end
describe "for a custom public type" do
let(:type) { 'my_custom_type' }
it "returns true if the custom type has not been added" do
expect(subject.should_be_secure?).to eq(true)
end
it "returns false if the custom type has been added" do
UploadSecurity.register_custom_public_type(type)
expect(subject.should_be_secure?).to eq(false)
end
end
describe "for_theme" do describe "for_theme" do
before do before do
upload.stubs(:for_theme).returns(true) upload.stubs(:for_theme).returns(true)