FIX: only allow CSV file to be uploaded for bulk invite

2017-01-11 16:15:02 +05:30 · 2017-01-11 16:15:02 +05:30 · e793caf3e3
parent dfb633fde3
commit e793caf3e3
4 changed files with 12 additions and 2 deletions
--- a/app/assets/javascripts/discourse/components/csv-uploader.js.es6
+++ b/app/assets/javascripts/discourse/components/csv-uploader.js.es6
@ -6,6 +6,10 @@ export default Em.Component.extend(UploadMixin, {
  tagName: "span",
  uploadUrl: "/invites/upload_csv",

+  validateUploadedFilesOptions() {
+    return { csvOnly: true };
+  },
+
  @computed("uploading")
  uploadButtonText(uploading) {
    return uploading ? I18n.t("uploading") : I18n.t("user.invited.bulk_invite.text");
--- a/app/assets/javascripts/discourse/lib/utilities.js.es6
+++ b/app/assets/javascripts/discourse/lib/utilities.js.es6
@ -192,6 +192,11 @@ export function validateUploadedFile(file, opts) {
      bootbox.alert(I18n.t('post.errors.upload_not_authorized', { authorized_extensions: authorizedImagesExtensions() }));
      return false;
    }
+  } else if (opts["csvOnly"]) {
+    if (!(/\.csv$/i).test(name)) {
+      bootbox.alert(I18n.t('user.invited.bulk_invite.error'));
+      return false;
+    }
  } else {
    if (!authorizesAllExtensions() && !isAuthorizedFile(name)) {
      bootbox.alert(I18n.t('post.errors.upload_not_authorized', { authorized_extensions: authorizedExtensions() }));
--- a/app/controllers/invites_controller.rb
+++ b/app/controllers/invites_controller.rb
@ -156,9 +156,9 @@ class InvitesController < ApplicationController

    Scheduler::Defer.later("Upload CSV") do
      begin
-        data = if extension == ".csv"
+        data = if extension.downcase == ".csv"
          path = Invite.create_csv(file, name)
-          Jobs.enqueue(:bulk_invite, filename: "#{name}.csv", current_user_id: current_user.id)
+          Jobs.enqueue(:bulk_invite, filename: "#{name}#{extension}", current_user_id: current_user.id)
          {url: path}
        else
          failed_json.merge(errors: [I18n.t("bulk_invite.file_should_be_csv")])
--- a/config/locales/client.en.yml
+++ b/config/locales/client.en.yml
@ -833,6 +833,7 @@ en:
          none: "You haven't invited anyone here yet. You can send individual invites, or invite a bunch of people at once by <a href='https://meta.discourse.org/t/send-bulk-invites/16468'>uploading a CSV file</a>."
          text: "Bulk Invite from File"
          success: "File uploaded successfully, you will be notified via message when the process is complete."
+          error: "Sorry, file should be of csv format."

      password:
        title: "Password"