github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-01-22 15:56:30 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
5dc45b5dcf
discourse/app
History
Martin Brennan 5dc45b5dcf
FIX: Secure upload post processing race condition (#23968) 
* FIX: Secure upload post processing race condition

This commit fixes a couple of issues.

A little background -- when uploads are created in the composer
for posts, regardless of whether the upload will eventually be
marked secure or not, if secure_uploads is enabled we always mark
the upload secure at first. This is so the upload is by default
protected, regardless of post type (regular or PM) or category.

This was causing issues in some rare occasions though because
of the order of operations of our post creation and processing
pipeline. When creating a post, we enqueue a sidekiq job to
post-process the post which does various things including
converting images to lightboxes. We were also enqueuing a job
to update the secure status for all uploads in that post.

Sometimes the secure status job would run before the post process
job, marking uploads as _not secure_ in the background and changing
their ACL before the post processor ran, which meant the users
would see a broken image in their posts. This commit fixes that issue
by always running the upload security changes inline _within_ the
cooked_post_processor job.

The other issue was that the lightbox wrapper link for images in
the post would end up with a URL like this:

```
href="/secure-uploads/original/2X/4/4e1f00a40b6c952198bbdacae383ba77932fc542.jpeg"
```

Since we weren't actually using the `upload.url` to pass to
`UrlHelper.cook_url` here, we weren't converting this href to the CDN
URL if the post was not in a secure context (the UrlHelper does not
know how to convert a secure-uploads URL to a CDN one). Now we
always end up with the correct lightbox href. This was less of an issue
than the other one, since the secure-uploads URL works even when the
upload has become non-secure, but it was a good inconsistency to fix
anyway.
2023-10-18 23:48:01 +00:00
..
assets UX: Update highlight.js styles (#23999) 2023-10-18 19:07:39 -04:00
controllers FIX: Secure upload post processing race condition (#23968) 2023-10-18 23:48:01 +00:00
helpers DEV: Switch to using standard ember-cli test bundle (#23337) 2023-09-04 17:09:55 +01:00
jobs FIX: log for CleanUpTags job (#23964) 2023-10-18 03:24:14 +00:00
mailers FIX: Order tags shown in email subject by topics count and name (#22586) 2023-07-13 15:39:58 +08:00
models FIX: Secure upload post processing race condition (#23968) 2023-10-18 23:48:01 +00:00
serializers DEV: Serialize categories in topic lists (#23597) 2023-10-17 19:06:01 +03:00
services FIX: Everyone should be aware a cached summary is outdated. (#23438) 2023-09-06 12:09:21 -03:00
views DEV: convert I18n pseudo package into real package (discourse-i18n) (#23867) 2023-10-12 14:44:01 +01:00