mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 09:26:54 -06:00
SECURITY: Validate the entity
when downloading a CSV
This commit is contained in:
parent
0a8e16d049
commit
908433a7a0
@ -2,7 +2,7 @@ import { ajax } from 'discourse/lib/ajax';
|
||||
function exportEntityByType(type, entity, args) {
|
||||
return ajax("/export_csv/export_entity.json", {
|
||||
method: 'POST',
|
||||
data: {entity_type: type, entity, args}
|
||||
data: {entity, args}
|
||||
});
|
||||
}
|
||||
|
||||
|
@ -3,7 +3,7 @@ class ExportCsvController < ApplicationController
|
||||
skip_before_filter :preload_json, :check_xhr, only: [:show]
|
||||
|
||||
def export_entity
|
||||
guardian.ensure_can_export_entity!(export_params[:entity_type])
|
||||
guardian.ensure_can_export_entity!(export_params[:entity])
|
||||
Jobs.enqueue(:export_csv_file, entity: export_params[:entity], user_id: current_user.id, args: export_params[:args])
|
||||
render json: success_json
|
||||
end
|
||||
@ -29,8 +29,7 @@ class ExportCsvController < ApplicationController
|
||||
def export_params
|
||||
@_export_params ||= begin
|
||||
params.require(:entity)
|
||||
params.require(:entity_type)
|
||||
params.permit(:entity, :entity_type, args: [:name, :start_date, :end_date, :category_id, :group_id, :trust_level])
|
||||
params.permit(:entity, args: [:name, :start_date, :end_date, :category_id, :group_id, :trust_level])
|
||||
end
|
||||
end
|
||||
end
|
||||
|
@ -291,10 +291,12 @@ class Guardian
|
||||
@can_see_emails
|
||||
end
|
||||
|
||||
def can_export_entity?(entity_type)
|
||||
def can_export_entity?(entity)
|
||||
return false unless @user
|
||||
return true if is_staff?
|
||||
return false if entity_type == "admin"
|
||||
|
||||
# Regular users can only export their archives
|
||||
return false unless entity == "user_archive"
|
||||
UserExport.where(user_id: @user.id, created_at: (Time.zone.now.beginning_of_day..Time.zone.now.end_of_day)).count == 0
|
||||
end
|
||||
|
||||
|
@ -18,19 +18,19 @@ describe ExportCsvController do
|
||||
describe ".export_entity" do
|
||||
it "enqueues export job" do
|
||||
Jobs.expects(:enqueue).with(:export_csv_file, has_entries(entity: "user_archive", user_id: @user.id))
|
||||
xhr :post, :export_entity, entity: "user_archive", entity_type: "user"
|
||||
xhr :post, :export_entity, entity: "user_archive"
|
||||
expect(response).to be_success
|
||||
end
|
||||
|
||||
it "should not enqueue export job if rate limit is reached" do
|
||||
Jobs::ExportCsvFile.any_instance.expects(:execute).never
|
||||
UserExport.create(file_name: "user-archive-codinghorror-150116-003249", user_id: @user.id)
|
||||
xhr :post, :export_entity, entity: "user_archive", entity_type: "user"
|
||||
xhr :post, :export_entity, entity: "user_archive"
|
||||
expect(response).not_to be_success
|
||||
end
|
||||
|
||||
it "returns 404 when normal user tries to export admin entity" do
|
||||
xhr :post, :export_entity, entity: "staff_action", entity_type: "admin"
|
||||
xhr :post, :export_entity, entity: "staff_action"
|
||||
expect(response).not_to be_success
|
||||
end
|
||||
end
|
||||
@ -67,14 +67,14 @@ describe ExportCsvController do
|
||||
describe ".export_entity" do
|
||||
it "enqueues export job" do
|
||||
Jobs.expects(:enqueue).with(:export_csv_file, has_entries(entity: "staff_action", user_id: @admin.id))
|
||||
xhr :post, :export_entity, entity: "staff_action", entity_type: "admin"
|
||||
xhr :post, :export_entity, entity: "staff_action"
|
||||
expect(response).to be_success
|
||||
end
|
||||
|
||||
it "should not rate limit export for staff" do
|
||||
Jobs.expects(:enqueue).with(:export_csv_file, has_entries(entity: "staff_action", user_id: @admin.id))
|
||||
UserExport.create(file_name: "screened-email-150116-010145", user_id: @admin.id)
|
||||
xhr :post, :export_entity, entity: "staff_action", entity_type: "admin"
|
||||
xhr :post, :export_entity, entity: "staff_action"
|
||||
expect(response).to be_success
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue
Block a user