FIX: Never allow custom emoji to be marked secure (#8965)

* Because custom emoji count as post "uploads" we were marking them as secure when updating the secure status for post uploads. * We were also giving them an access control post id, which meant broken image previews from 403 errors in the admin custom emoji list. * We now check if an upload is used as a custom emoji and do not assign the access control post + never mark as secure.
2025-02-25 18:55:32 -06:00 · 2020-02-14 11:17:09 +10:00
parent 149196b9ce
commit 56b16bc68e
5 changed files with 32 additions and 4 deletions
--- a/spec/models/post_spec.rb
+++ b/spec/models/post_spec.rb
@@ -1376,6 +1376,16 @@ describe Post do
          expect(image_upload.access_control_post_id).to eq(post.id)
          expect(video_upload.access_control_post_id).not_to eq(post.id)
        end
+
+        context "for custom emoji" do
+          before do
+            CustomEmoji.create(name: "meme", upload: image_upload)
+          end
+          it "never sets an access control post because they should not be secure" do
+            post.link_post_uploads
+            expect(image_upload.reload.access_control_post_id).to eq(nil)
+          end
+        end
      end
    end

--- a/spec/models/upload_spec.rb
+++ b/spec/models/upload_spec.rb
@@ -419,7 +419,17 @@ describe Upload do
        expect { upload.update_secure_status }
          .to change { upload.secure }

-        expect(upload.secure).to eq(true)
+        expect(upload.reload.secure).to eq(true)
+      end
+
+      it 'does not mark an upload used for a custom emoji as secure' do
+        SiteSetting.login_required = true
+        upload.update!(secure: false)
+        CustomEmoji.create(name: 'meme', upload: upload)
+        expect { upload.update_secure_status }
+          .not_to change { upload.secure }
+
+        expect(upload.reload.secure).to eq(false)
      end
    end
  end