mirror of
https://github.com/discourse/discourse.git
synced 2024-12-02 05:03:40 +08:00
SECURITY: Prevent guest users from accessing secure uploads when login required
This commit is contained in:
parent
f213ba7c1f
commit
edb2630131
|
@ -168,6 +168,7 @@ class UploadsController < ApplicationController
|
|||
|
||||
def handle_secure_upload_request(upload, path_with_ext = nil)
|
||||
if upload.access_control_post_id.present?
|
||||
raise Discourse::InvalidAccess if current_user.nil? && SiteSetting.login_required
|
||||
raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post)
|
||||
else
|
||||
return render_404 if current_user.nil?
|
||||
|
|
|
@ -581,6 +581,20 @@ RSpec.describe UploadsController do
|
|||
end
|
||||
end
|
||||
|
||||
context "when login is required and user is not signed in" do
|
||||
let(:post) { Fabricate(:post) }
|
||||
|
||||
before do
|
||||
SiteSetting.login_required = true
|
||||
upload.update(access_control_post_id: post.id)
|
||||
end
|
||||
|
||||
it "returns a 403" do
|
||||
get secure_url
|
||||
expect(response.status).to eq(403)
|
||||
end
|
||||
end
|
||||
|
||||
context "when the prevent_anons_from_downloading_files setting is enabled and the user is anon" do
|
||||
before { SiteSetting.prevent_anons_from_downloading_files = true }
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user