github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Only mark attachments as secure media if SiteSetting.secure_media? (#9009)

Browse Source 
* Attachments (non media files) were being marked as secure if just
SiteSetting.prevent_anons_from_downloading_files was enabled. this
was not correct as nothing should be marked as actually "secure" in
the DB without that site setting enabled
* Also add a proper standalone spec file for the upload security class
This commit is contained in:
Martin Brennan
2020-02-21 09:35:16 +10:00
committed by GitHub
parent a47e0a3fda
commit 04df3bd46d
4 changed files with 184 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/upload_security.rb
View File

@ -21,8 +21,9 @@ class UploadSecurity
end
def should_be_secure?
return false if !SiteSetting.secure_media?
return false if uploading_in_public_context?
secure_attachment? || secure_media?
(secure_attachment? || supported_media?) && uploading_in_secure_context?
end
private
@ -39,10 +40,6 @@ class UploadSecurity
!supported_media? && SiteSetting.prevent_anons_from_downloading_files
end
def secure_media?
SiteSetting.secure_media? && supported_media? && uploading_in_secure_context?
end
def uploading_in_secure_context?
return true if SiteSetting.login_required?
if @upload.access_control_post_id.present?