Merge pull request #3534 from techAPJ/patch-2

FIX: send 404 error when unauthorized user tries to download user archive
This commit is contained in:
Régis Hanol 2015-06-08 09:47:01 +02:00
commit b432b20fdd
2 changed files with 9 additions and 1 deletions

View File

@ -20,7 +20,7 @@ class ExportCsvController < ApplicationController
export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty?
export_csv_path = UserExport.get_download_path(filename)
if export_csv_path && export_initiated_by_user_id == current_user.id
if export_csv_path && current_user.present? && export_initiated_by_user_id == current_user.id
send_file export_csv_path
else
render nothing: true, status: 404

View File

@ -3,6 +3,14 @@ require "spec_helper"
describe ExportCsvController do
let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" }
context "while not logged in" do
describe ".download" do
it "returns 404 when the unauthorized user tries to export csv file" do
get :show, id: export_filename
expect(response.status).to eq(404)
end
end
end
context "while logged in as normal user" do
before { @user = log_in(:user) }