github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-21 18:12:32 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

FIX: Never allow custom emoji to be marked secure (#8965)

Browse Source 
* Because custom emoji count as post "uploads" we were
marking them as secure when updating the secure status for post uploads.
* We were also giving them an access control post id, which meant
broken image previews from 403 errors in the admin custom emoji list.
* We now check if an upload is used as a custom emoji and do not
assign the access control post + never mark as secure.
This commit is contained in:
Martin Brennan
2020-02-14 11:17:09 +10:00
committed by GitHub
parent 149196b9ce
commit 56b16bc68e
5 changed files with 32 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
lib/upload_security.rb
View File

@ -28,7 +28,7 @@ class UploadSecurity
private
def uploading_in_public_context?
@upload.for_theme || @upload.for_site_setting || @upload.for_gravatar || public_type?
@upload.for_theme || @upload.for_site_setting || @upload.for_gravatar || public_type? || used_for_custom_emoji?
end
def supported_media?
@ -70,4 +70,9 @@ class UploadSecurity
def uploading_in_composer?
@upload_type == "composer"
end
def used_for_custom_emoji?
return false if @upload.id.blank?
CustomEmoji.exists?(upload_id: @upload.id)
end
end