FIX: Skip upload extension validation when changing security (#16498)

When changing upload security using `Upload#update_secure_status`, we may not have the context of how an upload is being created, because this code path can be run through scheduled jobs. When calling update_secure_status, the normal ActiveRecord validations are run, and ours include validating extensions. In some cases the upload is created in an automated way, such as user export zips, and the security is applied later, with the extension prohibited from use when normally uploading. This caused the upload to fail validation on `update_secure_status`, causing the security change to silently fail. This fixes the issue by skipping the file extension validation when the upload security is being changed.
2025-05-22 04:31:10 +08:00 · 2022-04-20 14:11:39 +10:00
parent 5a76a3669b
commit 154afa60eb
4 changed files with 89 additions and 8 deletions
--- a/spec/lib/upload_creator_spec.rb
+++ b/spec/lib/upload_creator_spec.rb
@ -322,6 +322,15 @@ RSpec.describe UploadCreator do

        expect(upload.secure?).to eq(false)
      end
+
+      it "sets a reason for the security" do
+        upload = UploadCreator.new(file, filename, opts).create_for(user.id)
+        stored_upload = Upload.last
+
+        expect(stored_upload.secure?).to eq(true)
+        expect(stored_upload.security_last_changed_at).not_to eq(nil)
+        expect(stored_upload.security_last_changed_reason).to eq("uploading via the composer | source: upload creator")
+      end
    end

    context 'uploading to s3' do