mirror of
https://github.com/discourse/discourse.git
synced 2024-11-29 20:24:05 -06:00
Merge pull request #1523 from dbarbera/avatar_formats_fix
add image authorization on upload_avatar
This commit is contained in:
commit
d80f4fa3f7
@ -302,6 +302,10 @@ class UsersController < ApplicationController
|
||||
|
||||
file = params[:file] || params[:files].first
|
||||
|
||||
unless SiteSetting.authorized_image?(file)
|
||||
return render status: 422, text: I18n.t("upload.images.unknown_image_type")
|
||||
end
|
||||
|
||||
# check the file size (note: this might also be done in the web server)
|
||||
filesize = File.size(file.tempfile)
|
||||
max_size_kb = SiteSetting.max_image_size_kb * 1024
|
||||
|
@ -966,6 +966,12 @@ describe UsersController do
|
||||
response.status.should eq 413
|
||||
end
|
||||
|
||||
it 'rejects unauthorized images' do
|
||||
SiteSetting.stubs(:authorized_image?).returns(false)
|
||||
xhr :post, :upload_avatar, username: user.username, file: avatar
|
||||
response.status.should eq 422
|
||||
end
|
||||
|
||||
it 'is successful' do
|
||||
upload = Fabricate(:upload)
|
||||
Upload.expects(:create_for).returns(upload)
|
||||
|
Loading…
Reference in New Issue
Block a user