From 74141cc475945568bb165bc9dad05a284d4ef7ae Mon Sep 17 00:00:00 2001 From: Arpit Jalan Date: Mon, 8 Jun 2015 11:09:38 +0530 Subject: [PATCH] FIX: send 404 error when unauthorized user tries to download user archive --- app/controllers/export_csv_controller.rb | 2 +- spec/controllers/export_csv_controller_spec.rb | 8 ++++++++ 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/app/controllers/export_csv_controller.rb b/app/controllers/export_csv_controller.rb index af53d963ba6..74e341168cd 100644 --- a/app/controllers/export_csv_controller.rb +++ b/app/controllers/export_csv_controller.rb @@ -20,7 +20,7 @@ class ExportCsvController < ApplicationController export_initiated_by_user_id = UserExport.where(id: export_id)[0].user_id unless UserExport.where(id: export_id).empty? export_csv_path = UserExport.get_download_path(filename) - if export_csv_path && export_initiated_by_user_id == current_user.id + if export_csv_path && current_user.present? && export_initiated_by_user_id == current_user.id send_file export_csv_path else render nothing: true, status: 404 diff --git a/spec/controllers/export_csv_controller_spec.rb b/spec/controllers/export_csv_controller_spec.rb index 9975b2cf299..440ccc11ef0 100644 --- a/spec/controllers/export_csv_controller_spec.rb +++ b/spec/controllers/export_csv_controller_spec.rb @@ -3,6 +3,14 @@ require "spec_helper" describe ExportCsvController do let(:export_filename) { "user-archive-codinghorror-150115-234817-999.csv.gz" } + context "while not logged in" do + describe ".download" do + it "returns 404 when the unauthorized user tries to export csv file" do + get :show, id: export_filename + expect(response.status).to eq(404) + end + end + end context "while logged in as normal user" do before { @user = log_in(:user) }