SECURITY: Make sure export CSV is generated via a POST

2025-01-19 05:52:49 +08:00 · 2015-07-24 12:33:53 -04:00 · 2015-07-24 12:33:53 -04:00 · a716f9857b
commit a716f9857b
parent e180e55c4e
10 changed files with 33 additions and 78 deletions
--- a/app/assets/javascripts/admin/controllers/admin-logs-screened-emails.js.es6
+++ b/app/assets/javascripts/admin/controllers/admin-logs-screened-emails.js.es6
@ -1,3 +1,4 @@
+import { exportEntity } from 'discourse/lib/export-csv';
 import { outputExportResult } from 'discourse/lib/export-result';

 export default Ember.ArrayController.extend({
@ -12,7 +13,7 @@ export default Ember.ArrayController.extend({
    },

    exportScreenedEmailList() {
-      Discourse.ExportCsv.exportScreenedEmailList().then(outputExportResult);
+      exportEntity('screened_email').then(outputExportResult);
    }
  },

--- a/app/assets/javascripts/admin/controllers/admin-logs-screened-ip-addresses.js.es6
+++ b/app/assets/javascripts/admin/controllers/admin-logs-screened-ip-addresses.js.es6
@ -1,4 +1,5 @@
 import { outputExportResult } from 'discourse/lib/export-result';
+import { exportEntity } from 'discourse/lib/export-csv';

 export default Ember.ArrayController.extend({
  loading: false,
@ -40,7 +41,7 @@ export default Ember.ArrayController.extend({
    },

    exportScreenedIpList() {
-      Discourse.ExportCsv.exportScreenedIpList().then(outputExportResult);
+      exportEntity('screened_ip').then(outputExportResult);
    }
  }
 });
--- a/app/assets/javascripts/admin/controllers/admin-logs-screened-urls.js.es6
+++ b/app/assets/javascripts/admin/controllers/admin-logs-screened-urls.js.es6
@ -1,3 +1,4 @@
+import { exportEntity } from 'discourse/lib/export-csv';
 import { outputExportResult } from 'discourse/lib/export-result';

 export default Ember.ArrayController.extend({
@ -14,7 +15,7 @@ export default Ember.ArrayController.extend({

  actions: {
    exportScreenedUrlList() {
-      Discourse.ExportCsv.exportScreenedUrlList().then(outputExportResult);
+      exportEntity('screened_url').then(outputExportResult);
    }
  }
 });
--- a/app/assets/javascripts/admin/controllers/admin-logs-staff-action-logs.js.es6
+++ b/app/assets/javascripts/admin/controllers/admin-logs-staff-action-logs.js.es6
@ -1,3 +1,4 @@
+import { exportEntity } from 'discourse/lib/export-csv';
 import { outputExportResult } from 'discourse/lib/export-result';

 export default Ember.ArrayController.extend({
@ -92,7 +93,7 @@ export default Ember.ArrayController.extend({
    },

    exportStaffActionLogs: function() {
-      Discourse.ExportCsv.exportStaffActionLogs().then(outputExportResult);
+      exportEntity('staff_action').then(outputExportResult);
    }
  }
 });
--- a/app/assets/javascripts/admin/routes/admin-users-list.js.es6
+++ b/app/assets/javascripts/admin/routes/admin-users-list.js.es6
@ -1,10 +1,11 @@
+import { exportEntity } from 'discourse/lib/export-csv';
 import { outputExportResult } from 'discourse/lib/export-result';

 export default Discourse.Route.extend({

  actions: {
    exportUsers: function() {
-      Discourse.ExportCsv.exportUserList().then(outputExportResult);
+      exportEntity('user_list').then(outputExportResult);
    },

    sendInvites: function() {
--- a/app/assets/javascripts/discourse/controllers/user.js.es6
+++ b/app/assets/javascripts/discourse/controllers/user.js.es6
@ -1,3 +1,4 @@
+import { exportUserArchive } from 'discourse/lib/export-csv';
 import ObjectController from 'discourse/controllers/object';
 import CanCheckEmails from 'discourse/mixins/can-check-emails';

@ -78,7 +79,7 @@ export default ObjectController.extend(CanCheckEmails, {
        I18n.t("yes_value"),
        function(confirmed) {
          if (confirmed) {
-            Discourse.ExportCsv.exportUserArchive();
+            exportUserArchive();
          }
        }
      );
--- a/app/assets/javascripts/discourse/lib/export-csv.js.es6
+++ b/app/assets/javascripts/discourse/lib/export-csv.js.es6
@ -0,0 +1,19 @@
+function exportEntityByType(type, entity) {
+  return Discourse.ajax("/export_csv/export_entity.json", {
+    method: 'POST',
+    data: {entity_type: type, entity}
+  });
+}
+
+export function exportUserArchive() {
+  return exportEntityByType('user', 'user_archive').then(function() {
+    bootbox.alert(I18n.t("admin.export_csv.success"));
+  }).catch(function() {
+    bootbox.alert(I18n.t("admin.export_csv.rate_limit_error"));
+  });
+}
+
+
+export function exportEntity(entity) {
+  return exportEntityByType('admin', entity);
+}
--- a/app/assets/javascripts/discourse/models/export_csv.js
+++ b/app/assets/javascripts/discourse/models/export_csv.js
@ -1,71 +0,0 @@
-/**
-  Data model for representing an export
-
-  @class ExportCsv
-  @extends Discourse.Model
-  @namespace Discourse
-  @module Discourse
-**/
-Discourse.ExportCsv = Discourse.Model.extend({});
-
-Discourse.ExportCsv.reopenClass({
-  /**
-  Exports user archive
-
-  @method export_user_archive
-  **/
-  exportUserArchive: function() {
-    return Discourse.ajax("/export_csv/export_entity.json", {
-      data: {entity_type: 'user', entity: 'user_archive'}
-    }).then(function() {
-      bootbox.alert(I18n.t("admin.export_csv.success"));
-    }).catch(function() {
-      bootbox.alert(I18n.t("admin.export_csv.rate_limit_error"));
-    });
-  },
-
-  /**
-    Exports user list
-
-    @method export_user_list
-  **/
-  exportUserList: function() {
-    return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'user_list'}});
-  },
-
-  /**
-    Exports staff action logs
-
-    @method export_staff_action_logs
-  **/
-  exportStaffActionLogs: function() {
-    return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'staff_action'}});
-  },
-
-  /**
-    Exports screened email list
-
-    @method export_screened_email_list
-  **/
-  exportScreenedEmailList: function() {
-    return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'screened_email'}});
-  },
-
-  /**
-    Exports screened IP list
-
-    @method export_screened_ip_list
-  **/
-  exportScreenedIpList: function() {
-    return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'screened_ip'}});
-  },
-
-  /**
-    Exports screened URL list
-
-    @method export_screened_url_list
-  **/
-  exportScreenedUrlList: function() {
-    return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'screened_url'}});
-  }
-});
--- a/app/assets/javascripts/main_include.js
+++ b/app/assets/javascripts/main_include.js
@ -19,6 +19,7 @@
 //= require ./discourse/lib/markdown
 //= require ./discourse/lib/search-for-term
 //= require ./discourse/lib/user-search
+//= require ./discourse/lib/export-csv
 //= require ./discourse/lib/autocomplete
 //= require ./discourse/lib/after-transition
 //= require ./discourse/lib/debounce
--- a/config/routes.rb
+++ b/config/routes.rb
@ -483,7 +483,7 @@ Discourse::Application.routes.draw do

  resources :export_csv do
    collection do
-      get "export_entity" => "export_csv#export_entity"
+      post "export_entity" => "export_csv#export_entity"
    end
    member do
      get "" => "export_csv#show", constraints: { id: /[^\/]+/ }