codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2025-04-29 07:24:09 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side

Browse source
This commit is contained in:
Régis Hanol 2015-11-12 10:26:45 +01:00
parent 069516f4b4
commit 16f509afb9
4 changed files with 40 additions and 0 deletions

6
app/controllers/uploads_controller.rb
View file

@ -12,6 +12,12 @@ class UploadsController < ApplicationController
# HACK FOR IE9 to prevent the "download dialog" # HACK FOR IE9 to prevent the "download dialog"
response.headers["Content-Type"] = "text/plain" if request.user_agent =~ /MSIE 9/ response.headers["Content-Type"] = "text/plain" if request.user_agent =~ /MSIE 9/
if type == "avatar"
if SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars
return render json: failed_json, status: 422
end
end
if synchronous if synchronous
data = create_upload(type, file, url) data = create_upload(type, file, url)
render json: data.as_json render json: data.as_json

10
app/controllers/users_controller.rb
View file

@ -547,6 +547,16 @@ class UsersController < ApplicationController
type = params[:type] type = params[:type]
upload_id = params[:upload_id] upload_id = params[:upload_id]
if SiteSetting.sso_overrides_avatar
return render json: failed_json, status: 422
end
if !SiteSetting.allow_uploaded_avatars
if type == "uploaded" || type == "custom"
return render json: failed_json, status: 422
end
end
user.uploaded_avatar_id = upload_id user.uploaded_avatar_id = upload_id
if AVATAR_TYPES_WITH_UPLOAD.include?(type) if AVATAR_TYPES_WITH_UPLOAD.include?(type)

12
spec/controllers/uploads_controller_spec.rb
View file

@ -106,6 +106,18 @@ describe UploadsController do
expect(message.data["errors"]).to be expect(message.data["errors"]).to be
end end
it 'ensures allow_uploaded_avatars is enabled when uploading an avatar' do
SiteSetting.stubs(:allow_uploaded_avatars).returns(false)
xhr :post, :create, file: logo, type: "avatar"
expect(response).to_not be_success
end
it 'ensures sso_overrides_avatar is not enabled when uploading an avatar' do
SiteSetting.stubs(:sso_overrides_avatar).returns(true)
xhr :post, :create, file: logo, type: "avatar"
expect(response).to_not be_success
end
end end
end end

12
spec/controllers/users_controller_spec.rb
View file

@ -1363,6 +1363,18 @@ describe UsersController do
expect(response).to be_forbidden expect(response).to be_forbidden
end end
it "raises an error when sso_overrides_avatar is disabled" do
SiteSetting.stubs(:sso_overrides_avatar).returns(true)
xhr :put, :pick_avatar, username: user.username, upload_id: upload.id, type: "custom"
expect(response).to_not be_success
end
it "raises an error when selecting the custom/uploaded avatar and allow_uploaded_avatars is disabled" do
SiteSetting.stubs(:allow_uploaded_avatars).returns(false)
xhr :put, :pick_avatar, username: user.username, upload_id: upload.id, type: "custom"
expect(response).to_not be_success
end
it 'can successfully pick the system avatar' do it 'can successfully pick the system avatar' do
xhr :put, :pick_avatar, username: user.username xhr :put, :pick_avatar, username: user.username
expect(response).to be_success expect(response).to be_success