codeninjasllc/discourse
1
0
Fork 0
mirror of https://github.com/codeninjasllc/discourse.git synced 2024-11-28 01:56:01 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #3534 from techAPJ/patch-2

Browse source 
FIX: send 404 error when unauthorized user tries to download user archive
This commit is contained in:
Régis Hanol 2015-06-08 09:47:01 +02:00
commit b432b20fdd
2 changed files with 9 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
app/controllers/export_csv_controller.rb
View file

@ -20,7 +20,7 @@ class ExportCsvController < ApplicationController
export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty? export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty?
export_csv_path = UserExport.get_download_path(filename) export_csv_path = UserExport.get_download_path(filename)
if export_csv_path && export_initiated_by_user_id == current_user.id if export_csv_path && current_user.present? && export_initiated_by_user_id == current_user.id
send_file export_csv_path send_file export_csv_path
else else
render nothing: true, status: 404 render nothing: true, status: 404

8
spec/controllers/export_csv_controller_spec.rb
View file

@ -3,6 +3,14 @@ require "spec_helper"
describe ExportCsvController do describe ExportCsvController do
let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" } let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" }
context "while not logged in" do
describe ".download" do
it "returns 404 when the unauthorized user tries to export csv file" do
get :show, id: export_filename
expect(response.status).to eq(404)
end
end
end
context "while logged in as normal user" do context "while logged in as normal user" do
before { @user = log_in(:user) } before { @user = log_in(:user) }