FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side

2025-05-21 18:12:32 +08:00 · 2015-11-12 10:26:45 +01:00
parent 069516f4b4
commit 16f509afb9
4 changed files with 40 additions and 0 deletions
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@ -547,6 +547,16 @@ class UsersController < ApplicationController
    type = params[:type]
    upload_id = params[:upload_id]

+    if SiteSetting.sso_overrides_avatar
+      return render json: failed_json, status: 422
+    end
+
+    if !SiteSetting.allow_uploaded_avatars
+      if type == "uploaded" || type == "custom"
+        return render json: failed_json, status: 422
+      end
+    end
+
    user.uploaded_avatar_id = upload_id

    if AVATAR_TYPES_WITH_UPLOAD.include?(type)