IntenseWebs/discourse
3
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-02-25 18:55:32 -06:00
Code Issues Packages Projects Releases Wiki Activity

FIX: Post uploads setting access_control_post_id unnecessarily (#26627)

Browse Source 
This commit addresses an issue for sites where secure_uploads
is turned on after the site has been operating without it for
some time.

When uploads are linked when they are used inside a post,
we were setting the access_control_post_id unconditionally
if it was NULL to that post ID and secure_uploads was true.

However this causes issues if an upload has been used in a
few different places, especially if a post was previously
used in a PM and marked secure, so we end up with a case of
the upload using a public post for its access control, which
causes URLs to not use the /secure-uploads/ path in the post,
breaking things like image uploads.

We should only set the access_control_post_id if the post is the first time the
upload is referenced so it cannot hijack uploads from other places.
This commit is contained in:
Martin Brennan
2024-04-16 10:37:57 +10:00
committed by GitHub
parent 9a5eca04fb
commit cdc8e9de1b
5 changed files with 73 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
spec/models/post_spec.rb
View File

@@ -1732,31 +1732,58 @@ RSpec.describe Post do
expect(post.reload.upload_references.pluck(:id)).to_not contain_exactly(post_uploads_ids)
end
context "when secure uploads is enabled" do
describe "setting access_control_post on linked uploads" do
fab!(:other_post) { Fabricate(:post) }
before do
setup_s3
SiteSetting.authorized_extensions = "pdf|png|jpg|csv"
SiteSetting.secure_uploads = true
SiteSetting.login_required = true
end
it "sets the access_control_post_id on uploads in the post that don't already have the value set" do
other_post = Fabricate(:post)
video_upload.update(access_control_post_id: other_post.id)
audio_upload.update(access_control_post_id: other_post.id)
context "for uploads in the post which have a null access_control_post_id" do
before do
image_upload.update!(access_control_post_id: nil)
video_upload.update!(access_control_post_id: other_post.id)
audio_upload.update!(access_control_post_id: other_post.id)
end
post.link_post_uploads
image_upload.reload
video_upload.reload
expect(image_upload.access_control_post_id).to eq(post.id)
expect(video_upload.access_control_post_id).not_to eq(post.id)
end
context "for custom emoji" do
before { CustomEmoji.create(name: "meme", upload: image_upload) }
it "never sets an access control post because they should not be secure" do
it "does nothing if secure uploads is disabled" do
SiteSetting.secure_uploads = false
post.link_post_uploads
expect(image_upload.reload.access_control_post_id).to eq(nil)
image_upload.reload
expect(image_upload.access_control_post_id).to eq(nil)
end
it "sets access_control_post_id to the current post if it is the first time the upload is being referenced" do
post.link_post_uploads
expect(image_upload.reload.access_control_post_id).to eq(post.id)
end
it "does not set access_control_post_id if the current post is not the first time the upload is being referenced" do
UploadReference.create!(
upload: image_upload,
target: Fabricate(:post),
created_at: 1.year.ago,
)
post.link_post_uploads
expect(image_upload.reload.access_control_post_id).not_to eq(post.id)
end
it "does not set access_control_post_id for uploads that already have one" do
post.link_post_uploads
expect(video_upload.access_control_post_id).not_to eq(post.id)
expect(audio_upload.access_control_post_id).not_to eq(post.id)
end
context "for custom emoji" do
before { CustomEmoji.create(name: "meme", upload: image_upload) }
it "never sets an access control post because they should not be secure" do
post.link_post_uploads
expect(image_upload.reload.access_control_post_id).to eq(nil)
end
end
end
end