mirror of
https://github.com/discourse/discourse.git
synced 2024-11-24 02:20:41 +08:00
Merge pull request #3534 from techAPJ/patch-2
FIX: send 404 error when unauthorized user tries to download user archive
This commit is contained in:
commit
b432b20fdd
|
@ -20,7 +20,7 @@ class ExportCsvController < ApplicationController
|
|||
export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty?
|
||||
export_csv_path = UserExport.get_download_path(filename)
|
||||
|
||||
if export_csv_path && export_initiated_by_user_id == current_user.id
|
||||
if export_csv_path && current_user.present? && export_initiated_by_user_id == current_user.id
|
||||
send_file export_csv_path
|
||||
else
|
||||
render nothing: true, status: 404
|
||||
|
|
|
@ -3,6 +3,14 @@ require "spec_helper"
|
|||
describe ExportCsvController do
|
||||
let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" }
|
||||
|
||||
context "while not logged in" do
|
||||
describe ".download" do
|
||||
it "returns 404 when the unauthorized user tries to export csv file" do
|
||||
get :show, id: export_filename
|
||||
expect(response.status).to eq(404)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
context "while logged in as normal user" do
|
||||
before { @user = log_in(:user) }
|
||||
|
|
Loading…
Reference in New Issue
Block a user