mirror of
https://github.com/discourse/discourse.git
synced 2024-12-14 12:03:57 +08:00
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212)
Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
This commit is contained in:
parent
c4cd864c26
commit
4eb4293e66
|
@ -102,7 +102,9 @@ class UploadsController < ApplicationController
|
|||
sha1 = Upload.sha1_from_base62_encoded(params[:base62])
|
||||
|
||||
if upload = Upload.find_by(sha1: sha1)
|
||||
return handle_secure_upload_request(upload, Discourse.store.get_path_for_upload(upload)) if upload.secure? && SiteSetting.secure_media?
|
||||
if upload.secure? && SiteSetting.secure_media?
|
||||
return handle_secure_upload_request(upload)
|
||||
end
|
||||
|
||||
if Discourse.store.internal?
|
||||
send_file_local_upload(upload)
|
||||
|
@ -128,7 +130,6 @@ class UploadsController < ApplicationController
|
|||
upload = Upload.find_by(sha1: sha1)
|
||||
return render_404 if upload.blank?
|
||||
|
||||
signed_secure_url = Discourse.store.signed_url_for_path(path_with_ext)
|
||||
return handle_secure_upload_request(upload, path_with_ext) if SiteSetting.secure_media?
|
||||
|
||||
# we don't want to 404 here if secure media gets disabled
|
||||
|
@ -138,14 +139,21 @@ class UploadsController < ApplicationController
|
|||
# if the upload is still secure, that means the ACL is probably still
|
||||
# private, so we don't want to go to the CDN url just yet otherwise we
|
||||
# will get a 403. if the upload is not secure we assume the ACL is public
|
||||
signed_secure_url = Discourse.store.signed_url_for_path(path_with_ext)
|
||||
redirect_to upload.secure? ? signed_secure_url : Discourse.store.cdn_url(upload.url)
|
||||
end
|
||||
|
||||
def handle_secure_upload_request(upload, path_with_ext)
|
||||
def handle_secure_upload_request(upload, path_with_ext = nil)
|
||||
if upload.access_control_post_id.present?
|
||||
raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post)
|
||||
end
|
||||
|
||||
# url_for figures out the full URL, handling multisite DBs,
|
||||
# and will return a presigned URL for the upload
|
||||
if path_with_ext.blank?
|
||||
return redirect_to Discourse.store.url_for(upload)
|
||||
end
|
||||
|
||||
redirect_to Discourse.store.signed_url_for_path(path_with_ext)
|
||||
end
|
||||
|
||||
|
|
|
@ -397,9 +397,19 @@ describe UploadsController do
|
|||
upload.update(access_control_post: post)
|
||||
|
||||
get upload.short_path
|
||||
|
||||
expect(response.code).to eq("403")
|
||||
end
|
||||
|
||||
context "when running on a multisite connection" do
|
||||
before do
|
||||
Rails.configuration.multisite = true
|
||||
end
|
||||
it "redirects to the signed_url_for_path with the multisite DB name in the url" do
|
||||
freeze_time
|
||||
get upload.short_path
|
||||
expect(response.body).to include(RailsMultisite::ConnectionManagement.current_db)
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
Loading…
Reference in New Issue
Block a user