mirror of
https://github.com/discourse/discourse.git
synced 2024-12-11 23:54:02 +08:00
de1922e656
This fixes a longstanding issue for sites with the secure_uploads setting enabled. What would happen is a scenario like this, since we did not check all places an upload could be linked to whenever we used UploadSecurity to check whether an upload should be secure: * Upload is created and used for site setting, set to secure: false since site setting uploads should not be secure. Let's say favicon * Favicon for the site is used inside a post in a private category, e.g. via a Onebox * We changed the secure status for the upload to true, since it's been used in a private category and we don't check if it's originator was a public place * The site favicon breaks :'( This was a source of constant consternation. Now, when an upload is _not_ being created, and we are checking if an existing upload should be secure, we now check to see what the first record in the UploadReference table is for that upload. If it's something public like a site setting, then we will never change the upload to `secure`. |
||
---|---|---|
.. | ||
api_keys_spec.rb | ||
auto_reject_reviewable_users_spec.rb | ||
blocked_hotlinked_media_spec.rb | ||
category_tag_spec.rb | ||
content_security_policy_spec.rb | ||
discord_omniauth_spec.rb | ||
email_outbound_spec.rb | ||
email_style_spec.rb | ||
facebook_omniauth_spec.rb | ||
flags_spec.rb | ||
github_omniauth_spec.rb | ||
group_spec.rb | ||
invalid_request_spec.rb | ||
invite_only_registration_spec.rb | ||
message_bus_spec.rb | ||
multisite_cookies_spec.rb | ||
multisite_spec.rb | ||
rate_limiting_spec.rb | ||
request_tracker_spec.rb | ||
same_ip_spammers_spec.rb | ||
secure_uploads_spec.rb | ||
spam_rules_spec.rb | ||
tag_counts_spec.rb | ||
topic_auto_close_spec.rb | ||
topic_thumbnail_spec.rb | ||
twitter_omniauth_spec.rb | ||
watched_words_spec.rb |