Revert "SECURITY: User could non-avatar uploads."

This reverts commit 89581fa301.
2018-12-18 13:37:31 +08:00 · 2018-12-18 13:37:31 +08:00 · 899caf35ba
parent 89581fa301
commit 899caf35ba
2 changed files with 16 additions and 15 deletions
--- a/lib/guardian/user_guardian.rb
+++ b/lib/guardian/user_guardian.rb
@ -3,13 +3,19 @@ module UserGuardian

  def can_pick_avatar?(user_avatar, upload)
    return false unless self.user
+
    return true if is_admin?
+
    # can always pick blank avatar
    return true if !upload
+
    return true if user_avatar.contains_upload?(upload.id)
    return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id

-    UserUpload.exists?(upload_id: upload.id, user_id: user.id)
+    UserUpload.exists?(
+      upload_id: upload.id,
+      user_id: [upload.user_id, user.id]
+    )
  end

  def can_edit_user?(user)
--- a/spec/components/guardian/user_guardian_spec.rb
+++ b/spec/components/guardian/user_guardian_spec.rb
@ -14,8 +14,8 @@ describe UserGuardian do
    Fabricate.build(:admin, id: 3)
  end

-  let(:user_avatar) do
-    Fabricate(:user_avatar, user: user)
+  let :user_avatar do
+    UserAvatar.new(user_id: user.id)
  end

  let :users_upload do
@ -54,24 +54,19 @@ describe UserGuardian do
      it "can not set uploads not owned by current user" do
        expect(guardian.can_pick_avatar?(user_avatar, users_upload)).to eq(true)
        expect(guardian.can_pick_avatar?(user_avatar, already_uploaded)).to eq(true)
-
-        UserUpload.create!(
-          upload_id: not_my_upload.id,
-          user_id: not_my_upload.user_id
-        )
-
        expect(guardian.can_pick_avatar?(user_avatar, not_my_upload)).to eq(false)
        expect(guardian.can_pick_avatar?(user_avatar, nil)).to eq(true)
      end

      it "can handle uploads that are associated but not directly owned" do
-        UserUpload.create!(
-          upload_id: not_my_upload.id,
-          user_id: user_avatar.user_id
-        )
+        yes_my_upload = not_my_upload
+        UserUpload.create!(upload_id: yes_my_upload.id, user_id: user_avatar.user_id)
+        expect(guardian.can_pick_avatar?(user_avatar, yes_my_upload)).to eq(true)

-        expect(guardian.can_pick_avatar?(user_avatar, not_my_upload))
-          .to eq(true)
+        UserUpload.destroy_all
+
+        UserUpload.create!(upload_id: yes_my_upload.id, user_id: yes_my_upload.user_id)
+        expect(guardian.can_pick_avatar?(user_avatar, yes_my_upload)).to eq(true)
      end
    end