IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

SECURITY: Make sure export CSV is generated via a POST

Browse Source
This commit is contained in:
Robin Ward
2015-07-24 12:33:53 -04:00
parent c78dbb7fa5
commit 29439e5534
10 changed files with 33 additions and 78 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
app/assets/javascripts/admin/controllers/admin-logs-screened-emails.js.es6
View File

@@ -1,3 +1,4 @@
import { exportEntity } from 'discourse/lib/export-csv';
import { outputExportResult } from 'discourse/lib/export-result'; import { outputExportResult } from 'discourse/lib/export-result';
export default Ember.ArrayController.extend({ export default Ember.ArrayController.extend({
@@ -12,7 +13,7 @@ export default Ember.ArrayController.extend({
}, },
exportScreenedEmailList() { exportScreenedEmailList() {
Discourse.ExportCsv.exportScreenedEmailList().then(outputExportResult); exportEntity('screened_email').then(outputExportResult);
} }
}, },

3
app/assets/javascripts/admin/controllers/admin-logs-screened-ip-addresses.js.es6
View File

@@ -1,4 +1,5 @@
import { outputExportResult } from 'discourse/lib/export-result'; import { outputExportResult } from 'discourse/lib/export-result';
import { exportEntity } from 'discourse/lib/export-csv';
export default Ember.ArrayController.extend({ export default Ember.ArrayController.extend({
loading: false, loading: false,
@@ -40,7 +41,7 @@ export default Ember.ArrayController.extend({
}, },
exportScreenedIpList() { exportScreenedIpList() {
Discourse.ExportCsv.exportScreenedIpList().then(outputExportResult); exportEntity('screened_ip').then(outputExportResult);
} }
} }
}); });

3
app/assets/javascripts/admin/controllers/admin-logs-screened-urls.js.es6
View File

@@ -1,3 +1,4 @@
import { exportEntity } from 'discourse/lib/export-csv';
import { outputExportResult } from 'discourse/lib/export-result'; import { outputExportResult } from 'discourse/lib/export-result';
export default Ember.ArrayController.extend({ export default Ember.ArrayController.extend({
@@ -14,7 +15,7 @@ export default Ember.ArrayController.extend({
actions: { actions: {
exportScreenedUrlList() { exportScreenedUrlList() {
Discourse.ExportCsv.exportScreenedUrlList().then(outputExportResult); exportEntity('screened_url').then(outputExportResult);
} }
} }
}); });

3
app/assets/javascripts/admin/controllers/admin-logs-staff-action-logs.js.es6
View File

@@ -1,3 +1,4 @@
import { exportEntity } from 'discourse/lib/export-csv';
import { outputExportResult } from 'discourse/lib/export-result'; import { outputExportResult } from 'discourse/lib/export-result';
export default Ember.ArrayController.extend({ export default Ember.ArrayController.extend({
@@ -92,7 +93,7 @@ export default Ember.ArrayController.extend({
}, },
exportStaffActionLogs: function() { exportStaffActionLogs: function() {
Discourse.ExportCsv.exportStaffActionLogs().then(outputExportResult); exportEntity('staff_action').then(outputExportResult);
} }
} }
}); });

3
app/assets/javascripts/admin/routes/admin-users-list.js.es6
View File

@@ -1,10 +1,11 @@
import { exportEntity } from 'discourse/lib/export-csv';
import { outputExportResult } from 'discourse/lib/export-result'; import { outputExportResult } from 'discourse/lib/export-result';
export default Discourse.Route.extend({ export default Discourse.Route.extend({
actions: { actions: {
exportUsers: function() { exportUsers: function() {
Discourse.ExportCsv.exportUserList().then(outputExportResult); exportEntity('user_list').then(outputExportResult);
}, },
sendInvites: function() { sendInvites: function() {

3
app/assets/javascripts/discourse/controllers/user.js.es6
View File

@@ -1,3 +1,4 @@
import { exportUserArchive } from 'discourse/lib/export-csv';
import ObjectController from 'discourse/controllers/object'; import ObjectController from 'discourse/controllers/object';
import CanCheckEmails from 'discourse/mixins/can-check-emails'; import CanCheckEmails from 'discourse/mixins/can-check-emails';
@@ -78,7 +79,7 @@ export default ObjectController.extend(CanCheckEmails, {
I18n.t("yes_value"), I18n.t("yes_value"),
function(confirmed) { function(confirmed) {
if (confirmed) { if (confirmed) {
Discourse.ExportCsv.exportUserArchive(); exportUserArchive();
} }
} }
); );

19
app/assets/javascripts/discourse/lib/export-csv.js.es6 Normal file
View File

@@ -0,0 +1,19 @@
function exportEntityByType(type, entity) {
return Discourse.ajax("/export_csv/export_entity.json", {
method: 'POST',
data: {entity_type: type, entity}
});
}
export function exportUserArchive() {
return exportEntityByType('user', 'user_archive').then(function() {
bootbox.alert(I18n.t("admin.export_csv.success"));
}).catch(function() {
bootbox.alert(I18n.t("admin.export_csv.rate_limit_error"));
});
}
export function exportEntity(entity) {
return exportEntityByType('admin', entity);
}

71
app/assets/javascripts/discourse/models/export_csv.js
View File

@@ -1,71 +0,0 @@
/**
Data model for representing an export
@class ExportCsv
@extends Discourse.Model
@namespace Discourse
@module Discourse
**/
Discourse.ExportCsv = Discourse.Model.extend({});
Discourse.ExportCsv.reopenClass({
/**
Exports user archive
@method export_user_archive
**/
exportUserArchive: function() {
return Discourse.ajax("/export_csv/export_entity.json", {
data: {entity_type: 'user', entity: 'user_archive'}
}).then(function() {
bootbox.alert(I18n.t("admin.export_csv.success"));
}).catch(function() {
bootbox.alert(I18n.t("admin.export_csv.rate_limit_error"));
});
},
/**
Exports user list
@method export_user_list
**/
exportUserList: function() {
return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'user_list'}});
},
/**
Exports staff action logs
@method export_staff_action_logs
**/
exportStaffActionLogs: function() {
return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'staff_action'}});
},
/**
Exports screened email list
@method export_screened_email_list
**/
exportScreenedEmailList: function() {
return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'screened_email'}});
},
/**
Exports screened IP list
@method export_screened_ip_list
**/
exportScreenedIpList: function() {
return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'screened_ip'}});
},
/**
Exports screened URL list
@method export_screened_url_list
**/
exportScreenedUrlList: function() {
return Discourse.ajax("/export_csv/export_entity.json", {data: {entity_type: 'admin', entity: 'screened_url'}});
}
});

1
app/assets/javascripts/main_include.js
View File

@@ -19,6 +19,7 @@
//= require ./discourse/lib/markdown //= require ./discourse/lib/markdown
//= require ./discourse/lib/search-for-term //= require ./discourse/lib/search-for-term
//= require ./discourse/lib/user-search //= require ./discourse/lib/user-search
//= require ./discourse/lib/export-csv
//= require ./discourse/lib/autocomplete //= require ./discourse/lib/autocomplete
//= require ./discourse/lib/after-transition //= require ./discourse/lib/after-transition
//= require ./discourse/lib/debounce //= require ./discourse/lib/debounce

2
config/routes.rb
View File

@@ -491,7 +491,7 @@ Discourse::Application.routes.draw do
resources :export_csv do resources :export_csv do
collection do collection do
get "export_entity" => "export_csv#export_entity" post "export_entity" => "export_csv#export_entity"
end end
member do member do
get "" => "export_csv#show", constraints: { id: /[^\/]+/ } get "" => "export_csv#show", constraints: { id: /[^\/]+/ }