Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

FIX: return 404 only if upload url also not internal.

This commit is contained in:
Vinoth Kannan 2019-05-15 02:06:54 +05:30
parent e0fe01925e
commit 42b10a646d
2 changed files with 23 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
app/controllers/uploads_controller.rb
View File

@ -2,6 +2,7 @@
require "mini_mime"
require_dependency 'upload_creator'
require_dependency "file_store/local_store"
class UploadsController < ApplicationController
requires_login except: [:show]
@ -67,10 +68,14 @@ class UploadsController < ApplicationController
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
return render_404 unless Discourse.store.internal?
return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
unless Discourse.store.internal?
local_store = FileStore::LocalStore.new
return render_404 unless local_store.has_been_uploaded?(upload.url)
end
opts = {
filename: upload.original_filename,
content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type,

23
spec/requests/uploads_controller_spec.rb
View File

@ -214,13 +214,24 @@ describe UploadsController do
upload
end
it "returns 404 when using external storage" do
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
context "when using external storage" do
before do
@upload = upload_file("small.pdf", "pdf")
SiteSetting.enable_s3_uploads = true
SiteSetting.s3_access_key_id = "fakeid7974664"
SiteSetting.s3_secret_access_key = "fakesecretid7974664"
end
get "/uploads/#{site}/#{sha}.pdf"
expect(response.response_code).to eq(404)
it "returns 404" do
@upload.update_column(:url, "//bucket.s3.amazonaws.com/#{@upload.url}")
get "/uploads/#{site}/#{@upload.sha1}.#{@upload.extension}"
expect(response.response_code).to eq(404)
end
it "returns upload if url not migrated" do
get "/uploads/#{site}/#{@upload.sha1}.#{@upload.extension}"
expect(response.status).to eq(200)
end
end
it "returns 404 when the upload doesn't exist" do