mirror of
https://github.com/codeninjasllc/discourse.git
synced 2024-12-17 19:12:37 -05:00
FIX: send 404 error when unauthorized user tries to download user archive
This commit is contained in:
parent
a09d893c0c
commit
74141cc475
2 changed files with 9 additions and 1 deletions
|
@ -20,7 +20,7 @@ class ExportCsvController < ApplicationController
|
||||||
export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty?
|
export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty?
|
||||||
export_csv_path = UserExport.get_download_path(filename)
|
export_csv_path = UserExport.get_download_path(filename)
|
||||||
|
|
||||||
if export_csv_path && export_initiated_by_user_id == current_user.id
|
if export_csv_path && current_user.present? && export_initiated_by_user_id == current_user.id
|
||||||
send_file export_csv_path
|
send_file export_csv_path
|
||||||
else
|
else
|
||||||
render nothing: true, status: 404
|
render nothing: true, status: 404
|
||||||
|
|
|
@ -3,6 +3,14 @@ require "spec_helper"
|
||||||
describe ExportCsvController do
|
describe ExportCsvController do
|
||||||
let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" }
|
let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" }
|
||||||
|
|
||||||
|
context "while not logged in" do
|
||||||
|
describe ".download" do
|
||||||
|
it "returns 404 when the unauthorized user tries to export csv file" do
|
||||||
|
get :show, id: export_filename
|
||||||
|
expect(response.status).to eq(404)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
context "while logged in as normal user" do
|
context "while logged in as normal user" do
|
||||||
before { @user = log_in(:user) }
|
before { @user = log_in(:user) }
|
||||||
|
|
Loading…
Reference in a new issue