IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Prevent guest users from accessing secure uploads when login required

Browse Source
This commit is contained in:
Ted Johansson
2023-12-07 13:38:38 +08:00
committed by Isaac Janzen
parent 50911b2579
commit 1b28823638
2 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
app/controllers/uploads_controller.rb
View File

@@ -168,6 +168,7 @@ class UploadsController < ApplicationController
def handle_secure_upload_request(upload, path_with_ext = nil)
if upload.access_control_post_id.present?
raise Discourse::InvalidAccess if current_user.nil? && SiteSetting.login_required
raise Discourse::InvalidAccess if !guardian.can_see?(upload.access_control_post)
else
return render_404 if current_user.nil?