diff --git a/app/models/user_profile.rb b/app/models/user_profile.rb index c05caea3b20..be6484552c5 100644 --- a/app/models/user_profile.rb +++ b/app/models/user_profile.rb @@ -12,6 +12,8 @@ class UserProfile < ActiveRecord::Base validates :profile_background, upload_url: true, if: :profile_background_changed? validates :card_background, upload_url: true, if: :card_background_changed? + validate :website_domain_validator, if: Proc.new { |c| c.new_record? || c.website_changed? } + belongs_to :card_image_badge, class_name: 'Badge' has_many :user_profile_views, dependent: :destroy @@ -102,6 +104,14 @@ class UserProfile < ActiveRecord::Base end end + def website_domain_validator + allowed_domains = SiteSetting.user_website_domains_whitelist + return if (allowed_domains.blank? || self.website.blank?) + + domain = URI.parse(self.website).host + self.errors.add :base, (I18n.t('user.website.domain_not_allowed', domains: allowed_domains.split('|').join(", "))) unless allowed_domains.split('|').include?(domain) + end + end # == Schema Information diff --git a/config/locales/server.en.yml b/config/locales/server.en.yml index ac3cc342ff0..761321e5959 100644 --- a/config/locales/server.en.yml +++ b/config/locales/server.en.yml @@ -1322,6 +1322,8 @@ en: hide_user_profiles_from_public: "Disable user cards, user profiles and user directory for anonymous users." + user_website_domains_whitelist: "User website will be verified against these domains. Pipe-delimited list." + allow_profile_backgrounds: "Allow users to upload profile backgrounds." sequential_replies_threshold: "Number of posts a user has to make in a row in a topic before being reminded about too many sequential replies." @@ -1606,6 +1608,8 @@ en: ip_address: blocked: "New registrations are not allowed from your IP address." max_new_accounts_per_registration_ip: "New registrations are not allowed from your IP address (maximum limit reached). Contact a staff member." + website: + domain_not_allowed: "Website is invalid. Allowed domains are: %{domains}" flags_reminder: flags_were_submitted: diff --git a/config/site_settings.yml b/config/site_settings.yml index dd9e472ae61..f947b862cbb 100644 --- a/config/site_settings.yml +++ b/config/site_settings.yml @@ -410,6 +410,9 @@ users: hide_user_profiles_from_public: default: false client: true + user_website_domains_whitelist: + default: '' + type: list groups: enable_group_directory: diff --git a/spec/models/user_profile_spec.rb b/spec/models/user_profile_spec.rb index d6b2c6ac01f..34a88c48cd0 100644 --- a/spec/models/user_profile_spec.rb +++ b/spec/models/user_profile_spec.rb @@ -54,16 +54,19 @@ describe UserProfile do expect(user_profile).not_to be_valid end - it "doesn't support invalid website" do - user_profile = Fabricate.build(:user_profile, website: "http://https://google.com") - user_profile.user = Fabricate.build(:user) - expect(user_profile).not_to be_valid - end + context "website validation" do + let(:user) { Fabricate(:user) } - it "supports valid website" do - user_profile = Fabricate.build(:user_profile, website: "https://google.com") - user_profile.user = Fabricate.build(:user) - expect(user_profile.valid?).to be true + it "ensures website is valid" do + expect(Fabricate.build(:user_profile, user: user, website: "http://https://google.com")).not_to be_valid + expect(Fabricate.build(:user_profile, user: user, website: "https://google.com")).to be_valid + end + + it "validates website domain if user_website_domains_whitelist setting is present" do + SiteSetting.user_website_domains_whitelist = "discourse.org" + expect(Fabricate.build(:user_profile, user: user, website: "https://google.com")).not_to be_valid + expect(Fabricate.build(:user_profile, user: user, website: "http://discourse.org")).to be_valid + end end describe 'after save' do