github-mirror/discourse
github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-03-29 19:05:44 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Validate type when picking an avatar. (#11602)

Browse Source 
This change improves the "UsersController#pick_avatar" validations to raise an error when "allow_uploaded_avatars" is disabled.
This commit is contained in:
Roman Rizzi 2021-01-05 10:29:10 -03:00 committed by GitHub
parent 45671276bf
commit afebaf439f
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 60 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/assets/javascripts/discourse/app/templates/modal/avatar-selector.hbs
View File

@ -12,6 +12,7 @@
{{radio-button id="system-avatar" name="avatar" value="system" selection=selected}} {{radio-button id="system-avatar" name="avatar" value="system" selection=selected}}
<label class="radio" for="system-avatar">{{bound-avatar-template user.system_avatar_template "large"}} {{html-safe (i18n "user.change_avatar.letter_based")}}</label> <label class="radio" for="system-avatar">{{bound-avatar-template user.system_avatar_template "large"}} {{html-safe (i18n "user.change_avatar.letter_based")}}</label>
</div> </div>
{{#if allowAvatarUpload}}
<div class="avatar-choice"> <div class="avatar-choice">
{{radio-button id="gravatar" name="avatar" value="gravatar" selection=selected}} {{radio-button id="gravatar" name="avatar" value="gravatar" selection=selected}}
<label class="radio" for="gravatar">{{bound-avatar-template user.gravatar_avatar_template "large"}} <span>{{html-safe (i18n "user.change_avatar.gravatar" gravatarName=gravatarName gravatarBaseUrl=gravatarBaseUrl gravatarLoginUrl=gravatarLoginUrl)}} {{user.email}}</span></label> <label class="radio" for="gravatar">{{bound-avatar-template user.gravatar_avatar_template "large"}} <span>{{html-safe (i18n "user.change_avatar.gravatar" gravatarName=gravatarName gravatarBaseUrl=gravatarBaseUrl gravatarLoginUrl=gravatarLoginUrl)}} {{user.email}}</span></label>
@ -26,7 +27,6 @@
<p class="error">{{I18n "user.change_avatar.gravatar_failed" gravatarName=gravatarName}}</p> <p class="error">{{I18n "user.change_avatar.gravatar_failed" gravatarName=gravatarName}}</p>
{{/if}} {{/if}}
</div> </div>
{{#if allowAvatarUpload}}
<div class="avatar-choice"> <div class="avatar-choice">
{{radio-button id="uploaded-avatar" name="avatar" value="uploaded" selection=selected}} {{radio-button id="uploaded-avatar" name="avatar" value="uploaded" selection=selected}}
<label class="radio" for="uploaded-avatar"> <label class="radio" for="uploaded-avatar">

28
app/controllers/users_controller.rb
View File

@ -1108,33 +1108,37 @@ class UsersController < ApplicationController
user = fetch_user_from_params user = fetch_user_from_params
guardian.ensure_can_edit!(user) guardian.ensure_can_edit!(user)
type = params[:type]
upload_id = params[:upload_id]
if SiteSetting.sso_overrides_avatar if SiteSetting.sso_overrides_avatar
return render json: failed_json, status: 422 return render json: failed_json, status: 422
end end
if !SiteSetting.allow_uploaded_avatars type = params[:type]
if type == "uploaded" || type == "custom"
invalid_type = type.present? && !AVATAR_TYPES_WITH_UPLOAD.include?(type) && type != 'system'
if invalid_type
return render json: failed_json, status: 422 return render json: failed_json, status: 422
end end
if type.blank? || type == 'system'
upload_id = nil
else
if !SiteSetting.allow_uploaded_avatars
return render json: failed_json, status: 422
end end
upload_id = params[:upload_id]
upload = Upload.find_by(id: upload_id) upload = Upload.find_by(id: upload_id)
if upload.nil?
return render_json_error I18n.t('avatar.missing')
end
# old safeguard # old safeguard
user.create_user_avatar unless user.user_avatar user.create_user_avatar unless user.user_avatar
guardian.ensure_can_pick_avatar!(user.user_avatar, upload) guardian.ensure_can_pick_avatar!(user.user_avatar, upload)
if AVATAR_TYPES_WITH_UPLOAD.include?(type) if type == 'gravatar'
if !upload
return render_json_error I18n.t("avatar.missing")
end
if type == "gravatar"
user.user_avatar.gravatar_upload_id = upload_id user.user_avatar.gravatar_upload_id = upload_id
else else
user.user_avatar.custom_upload_id = upload_id user.user_avatar.custom_upload_id = upload_id

23
spec/requests/users_controller_spec.rb
View File

@ -2309,6 +2309,29 @@ describe UsersController do
expect(response.status).to eq(422) expect(response.status).to eq(422)
end end
it 'ignores the upload if picking a system avatar' do
SiteSetting.allow_uploaded_avatars = false
another_upload = Fabricate(:upload)
put "/u/#{user.username}/preferences/avatar/pick.json", params: {
upload_id: another_upload.id, type: "system"
}
expect(response.status).to eq(200)
expect(user.reload.uploaded_avatar_id).to eq(nil)
end
it 'raises an error if the type is invalid' do
SiteSetting.allow_uploaded_avatars = false
another_upload = Fabricate(:upload)
put "/u/#{user.username}/preferences/avatar/pick.json", params: {
upload_id: another_upload.id, type: "x"
}
expect(response.status).to eq(422)
end
it 'can successfully pick the system avatar' do it 'can successfully pick the system avatar' do
put "/u/#{user.username}/preferences/avatar/pick.json" put "/u/#{user.username}/preferences/avatar/pick.json"