discourse/spec/fabricators/upload_fabricator.rb
Martin Brennan ab3bda6cd0
FIX: Mitigate issue where legacy pre-secure hotlinked media would not be redownloaded (#8802)
Basically, say you had already downloaded a certain image from a certain URL
using pull_hotlinked_images and the onebox. The upload would be stored
by its sha as an upload record. Whenever you linked to the same URL again
in a post (e.g. in our case an og:image on review.discourse) we would
would reuse the original upload record because of the sha1.

However when you turned on secure media this could cause problems as
the first post that uses that upload after secure media is enabled
will set the access control post for the upload to the new post.
Then if the post is deleted every single onebox/link to that same image
URL will fail forever with 403 as the secure-media-uploads URL fails
if the access control post has been deleted.

To fix this when cooking posts and pulling hotlinked images, we only
allow using an original upload by URL if its access control post
matches the current post, and if the original_sha1 is filled in,
meaning it was uploaded AFTER secure media was enabled. otherwise
we just redownload the media again to be safe, as the URL will always
be new then.
2020-01-29 10:11:38 +10:00

60 lines
1.3 KiB
Ruby

# frozen_string_literal: true
Fabricator(:upload) do
user
sha1 { sequence(:sha1) { |n| Digest::SHA1.hexdigest(n.to_s) } }
original_filename "logo.png"
filesize 1234
width 100
height 200
thumbnail_width 30
thumbnail_height 60
url do |attrs|
sequence(:url) do |n|
Discourse.store.get_path_for(
"original", n + 1, attrs[:sha1], ".#{attrs[:extension]}"
)
end
end
extension "png"
end
Fabricator(:video_upload, from: :upload) do
original_filename "video.mp4"
width nil
height nil
thumbnail_width nil
thumbnail_height nil
extension "mp4"
end
Fabricator(:secure_upload, from: :upload) do
secure { true }
sha1 { SecureRandom.hex(20) }
original_sha1 { sequence(:sha1) { |n| Digest::SHA1.hexdigest(n.to_s) } }
end
Fabricator(:upload_s3, from: :upload) do
url do |attrs|
sequence(:url) do |n|
path = +Discourse.store.get_path_for(
"original", n + 1, attrs[:sha1], ".#{attrs[:extension]}"
)
if Rails.configuration.multisite
path.prepend(File.join(Discourse.store.upload_path, "/"))
end
File.join(Discourse.store.absolute_base_url, path)
end
end
end
Fabricator(:secure_upload_s3, from: :upload_s3) do
secure { true }
sha1 { SecureRandom.hex(20) }
original_sha1 { sequence(:sha1) { |n| Digest::SHA1.hexdigest(n.to_s) } }
end