Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
discourse/spec/jobs/regular/update_post_uploads_secure_...

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

38 lines
1.1 KiB
Ruby
Raw Normal View History

FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
# frozen_string_literal: true
require 'rails_helper'
describe Jobs::UpdatePostUploadsSecureStatus do
fab!(:post) { Fabricate(:post) }
before do
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
UploadReference.create!(target: post, upload: Fabricate(:upload))
UploadReference.create!(target: post, upload: Fabricate(:upload))
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
end
context "when secure uploads is enabled" do
before do
setup_s3
stub_s3_store
SiteSetting.secure_media = true
end
context "when login_required" do
before { SiteSetting.login_required = true }
it "updates all the uploads to secure" do
described_class.new.execute(post_id: post.id)
post.reload
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
expect(post.upload_references.map(&:upload).map(&:secure).all?(true)).to eq(true)
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
end
it "updates all the uploads to secure even if their extension is not authorized" do
SiteSetting.authorized_extensions = ""
described_class.new.execute(post_id: post.id)
post.reload
FEATURE: Create upload_references table (#16146) This table holds associations between uploads and other models. This can be used to prevent removing uploads that are still in use. * DEV: Create upload_references * DEV: Use UploadReference instead of PostUpload * DEV: Use UploadReference for SiteSetting * DEV: Use UploadReference for Badge * DEV: Use UploadReference for Category * DEV: Use UploadReference for CustomEmoji * DEV: Use UploadReference for Group * DEV: Use UploadReference for ThemeField * DEV: Use UploadReference for ThemeSetting * DEV: Use UploadReference for User * DEV: Use UploadReference for UserAvatar * DEV: Use UploadReference for UserExport * DEV: Use UploadReference for UserProfile * DEV: Add method to extract uploads from raw text * DEV: Use UploadReference for Draft * DEV: Use UploadReference for ReviewableQueuedPost * DEV: Use UploadReference for UserProfile's bio_raw * DEV: Do not copy user uploads to upload references * DEV: Copy post uploads again after deploy * DEV: Use created_at and updated_at from uploads table * FIX: Check if upload site setting is empty * DEV: Copy user uploads to upload references * DEV: Make upload extraction less strict
2022-06-08 19:24:30 -04:00
expect(post.upload_references.map(&:upload).map(&:secure).all?(true)).to eq(true)
FIX: Skip upload extension validation when changing security (#16498) When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2022-04-20 00:11:39 -04:00
end
end
end
end