From 5b91182985d70dea991ef82eeae120cac0bef935 Mon Sep 17 00:00:00 2001
From: Gerhard Schlager <mail@gerhard-schlager.at>
Date: Thu, 27 Jun 2019 11:13:44 +0200
Subject: [PATCH] DEV: Respond with error 400 to uploads requested via XHR

follow-up to 13f38055
---
 app/controllers/uploads_controller.rb        | 8 ++++++--
 test/javascripts/acceptance/user-test.js.es6 | 9 +--------
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
index 4b780b56bfe..f1841a48603 100644
--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -70,7 +70,7 @@ class UploadsController < ApplicationController
 
   def show
     # do not serve uploads requested via XHR to prevent XSS
-    return render_404 if request.xhr?
+    return xhr_not_allowed if request.xhr?
 
     return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
 
@@ -92,7 +92,7 @@ class UploadsController < ApplicationController
 
   def show_short
     # do not serve uploads requested via XHR to prevent XSS
-    return render_404 if request.xhr?
+    return xhr_not_allowed if request.xhr?
 
     if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
       return render_404
@@ -126,6 +126,10 @@ class UploadsController < ApplicationController
 
   protected
 
+  def xhr_not_allowed
+    raise Discourse::InvalidParameters.new("XHR not allowed")
+  end
+
   def render_404
     raise Discourse::NotFound
   end
diff --git a/test/javascripts/acceptance/user-test.js.es6 b/test/javascripts/acceptance/user-test.js.es6
index ff93b540910..2f2fc61d089 100644
--- a/test/javascripts/acceptance/user-test.js.es6
+++ b/test/javascripts/acceptance/user-test.js.es6
@@ -5,14 +5,7 @@ acceptance("User", { loggedIn: true });
 QUnit.test("Invalid usernames", async assert => {
   // prettier-ignore
   server.get("/u/eviltrout%2F..%2F..%2F.json", () => { // eslint-disable-line no-undef
-    return [
-      404,
-      { "Content-Type": "application/json" },
-      {
-        errors: ["The requested URL or resource could not be found."],
-        error_type: "not_found"
-      }
-    ];
+    return [400, { "Content-Type": "application/json" }, {}];
   });
 
   await visit("/u/eviltrout%2F..%2F..%2F/summary");