github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-22 14:38:17 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Searching for svg sprite icons connecting to default database (#21605)

Browse Source 
What is the problem?

In `SvgSpriteController#search` and `SvgSpriteController#icon_picker_search`, the controller actions
was using the `RailsMultisite::ConnectionManagement.with_hostname` API
but `params[:hostname]` was always `nil` because the routes does not
have a `:hostname` param component and the client does not ever pass the
`:hostname` param when making the request. When `RailsMultisite::ConnectionManagement.with_hostname` is
used with a `nil` argument, it ends up connecting to the default
multisite database. Usually this would be bad because we're allowing a
site in a multisite setup to connect to another site but thankfully no
private data is being leaked here.

What is the fix?

Since `SvgSpriteController#search` and `SvgSpriteController#icon_picker_search` are login required route,
there is no need for us to switch database connections. The fix here is
to simply remove the use of `RailsMultisite::ConnectionManagement.with_hostname`.
This commit is contained in:
Alan Guo Xiang Tan 2023-05-17 15:25:06 +09:00 committed by GitHub
parent 4c476b42b0
commit 5878535606
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 17 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
app/controllers/svg_sprite_controller.rb
View File

@ -32,27 +32,23 @@ class SvgSpriteController < ApplicationController
end
def search
RailsMultisite::ConnectionManagement.with_hostname(params[:hostname]) do
keyword = params.require(:keyword)
data = SvgSprite.search(keyword)
keyword = params.require(:keyword)
data = SvgSprite.search(keyword)
if data.blank?
render body: nil, status: 404
else
render plain: data.inspect, disposition: nil, content_type: "text/plain"
end
if data.blank?
render body: nil, status: 404
else
render plain: data.inspect, disposition: nil, content_type: "text/plain"
end
end
def icon_picker_search
RailsMultisite::ConnectionManagement.with_hostname(params[:hostname]) do
params.permit(:filter, :only_available)
filter = params[:filter] || ""
only_available = params[:only_available]
params.permit(:filter, :only_available)
filter = params[:filter] || ""
only_available = params[:only_available]
icons = SvgSprite.icon_picker_search(filter, only_available)
render json: icons.take(200), root: false
end
icons = SvgSprite.icon_picker_search(filter, only_available)
render json: icons.take(200), root: false
end
def svg_icon

6
spec/requests/svg_sprite_controller_spec.rb
View File

@ -77,6 +77,12 @@ RSpec.describe SvgSpriteController do
end
describe "#icon_picker_search" do
it "should return 403 for anonymous users" do
get "/svg-sprite/picker-search"
expect(response.status).to eq(403)
end
it "should work with no filter and max out at 200 results" do
user = sign_in(Fabricate(:user))
get "/svg-sprite/picker-search"