FIX: uploading custom avatar was always hidden

app/assets/javascripts/discourse/lib/utilities.js.es6

@@ -190,10 +190,8 @@ export function validateUploadedFiles(files, bypassNewUserRestriction) {
 
 export function validateUploadedFile(file, type, bypassNewUserRestriction) {
   // check that the uploaded file is authorized
-  if (!authorizesAllExtensions() &&
+  if (!authorizesAllExtensions() && !isAuthorizedUpload(file)) {
-      !isAuthorizedUpload(file)) {
+    bootbox.alert(I18n.t('post.errors.upload_not_authorized', { authorized_extensions: authorizedExtensions() }));
-    var extensions = authorizedExtensions();
-    bootbox.alert(I18n.t('post.errors.upload_not_authorized', { authorized_extensions: extensions }));
     return false;
   }
 
@@ -217,23 +215,24 @@ export function authorizesAllExtensions() {
   return Discourse.SiteSettings.authorized_extensions.indexOf("*") >= 0;
 }
 
+function extensions() {
+  return Discourse.SiteSettings.authorized_extensions
+                               .toLowerCase()
+                               .replace(/[\s\.]+/g, "")
+                               .split("|")
+                               .filter(ext => ext.indexOf("*") === -1);
+}
+
+function extensionsRegex() {
+  return new RegExp("\\.(" + extensions().join("|") + ")$", "i");
+}
+
 export function isAuthorizedUpload(file) {
-  if (file && file.name) {
+  return file && file.name && extensionsRegex().test(file.name);
-    var extensions = _.chain(Discourse.SiteSettings.authorized_extensions.split("|"))
-      .reject(function(extension) { return extension.indexOf("*") >= 0; })
-      .map(function(extension) { return (extension.indexOf(".") === 0 ? extension.substring(1) : extension).replace(".", "\\."); })
-      .value();
-    return new RegExp("\\.(" + extensions.join("|") + ")$", "i").test(file.name);
-  }
-  return false;
 }
 
 export function authorizedExtensions() {
-  return _.chain(Discourse.SiteSettings.authorized_extensions.split("|"))
+  return extensions().join(", ");
-    .reject(function(extension) { return extension.indexOf("*") >= 0; })
-    .map(function(extension) { return extension.toLowerCase(); })
-    .value()
-    .join(", ");
 }
 
 export function uploadLocation(url) {
@@ -267,12 +266,12 @@ export function isAnImage(path) {
 
 export function allowsImages() {
   return authorizesAllExtensions() ||
-    (/\.(png|jpe?g|gif|bmp|tiff?|svg|webp|ico)/i).test(authorizedExtensions());
+    (/(png|jpe?g|gif|bmp|tiff?|svg|webp|ico)/i).test(authorizedExtensions());
 }
 
 export function allowsAttachments() {
   return authorizesAllExtensions() ||
-    !/^(\.(png|jpe?g|gif|bmp|tiff?|svg|webp|ico)(,\s)?)+$/i.test(authorizedExtensions());
+    !/^((png|jpe?g|gif|bmp|tiff?|svg|webp|ico)(,\s)?)+$/i.test(authorizedExtensions());
 }
 
 export function displayErrorForUpload(data) {

lib/validators/upload_validator.rb

@@ -49,12 +49,10 @@ class Validators::UploadValidator < ActiveModel::Validator
     authorized_uploads = Set.new
 
     SiteSetting.authorized_extensions
-      .tr(" ", "")
+      .gsub(/[\s\.]+/, "")
+      .downcase
       .split("|")
-      .each do |extension|
+      .each { |extension| authorized_uploads << extension unless extension.include?("*") }
-        next if extension.include?("*")
-        authorized_uploads << (extension.start_with?(".") ? extension[1..-1] : extension).downcase
-      end
 
     authorized_uploads
   end

test/javascripts/lib/utilities-test.js.es6

@@ -5,6 +5,8 @@ import {
   extractDomainFromUrl,
   isAnImage,
   avatarUrl,
+  authorizedExtensions,
+  allowsImages,
   allowsAttachments,
   getRawSize,
   avatarImg,
@@ -63,12 +65,11 @@ test("new user cannot upload attachments", function() {
 });
 
 test("ensures an authorized upload", function() {
-  var html = { name: "unauthorized.html" };
+  const html = { name: "unauthorized.html" };
-  var extensions = Discourse.SiteSettings.authorized_extensions.replace(/\|/g, ", ");
   sandbox.stub(bootbox, "alert");
 
   not(validUpload([html]));
-  ok(bootbox.alert.calledWith(I18n.t('post.errors.upload_not_authorized', { authorized_extensions: extensions })));
+  ok(bootbox.alert.calledWith(I18n.t('post.errors.upload_not_authorized', { authorized_extensions: authorizedExtensions() })));
 });
 
 var imageSize = 10 * 1024;
@@ -163,15 +164,33 @@ test("avatarImg", function() {
   setDevicePixelRatio(oldRatio);
 });
 
+test("allowsImages", function() {
+  Discourse.SiteSettings.authorized_extensions = "jpg|jpeg|gif";
+  ok(allowsImages(), "works");
+
+  Discourse.SiteSettings.authorized_extensions = ".jpg|.jpeg|.gif";
+  ok(allowsImages(), "works with old extensions syntax");
+
+  Discourse.SiteSettings.authorized_extensions = "txt|pdf|*";
+  ok(allowsImages(), "images are allowed when all extensions are allowed");
+
+  Discourse.SiteSettings.authorized_extensions = "json|jpg|pdf|txt";
+  ok(allowsImages(), "images are allowed when at least one extension is an image extension");
+});
+
+
 test("allowsAttachments", function() {
-  Discourse.SiteSettings.authorized_extensions = ".jpg, .jpeg, .gif";
+  Discourse.SiteSettings.authorized_extensions = "jpg|jpeg|gif";
   not(allowsAttachments(), "no attachments allowed by default");
 
-  Discourse.SiteSettings.authorized_extensions = ".jpg, .jpeg, .gif, *";
+  Discourse.SiteSettings.authorized_extensions = "jpg|jpeg|gif|*";
   ok(allowsAttachments(), "attachments are allowed when all extensions are allowed");
 
-  Discourse.SiteSettings.authorized_extensions = ".jpg, .jpeg, .gif, .pdf";
+  Discourse.SiteSettings.authorized_extensions = "jpg|jpeg|gif|pdf";
   ok(allowsAttachments(), "attachments are allowed when at least one extension is not an image extension");
+
+  Discourse.SiteSettings.authorized_extensions = ".jpg|.jpeg|.gif|.pdf";
+  ok(allowsAttachments(), "works with old extensions syntax");
 });
 
 test("defaultHomepage", function() {