github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-22 22:43:33 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Validate the entity when downloading a CSV

Browse Source
This commit is contained in:
Robin Ward
2017-05-19 15:59:37 -04:00
parent 0a8e16d049
commit 908433a7a0
4 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
spec/controllers/export_csv_controller_spec.rb
View File

@ -18,19 +18,19 @@ describe ExportCsvController do
describe ".export_entity" do
it "enqueues export job" do
Jobs.expects(:enqueue).with(:export_csv_file, has_entries(entity: "user_archive", user_id: @user.id))
xhr :post, :export_entity, entity: "user_archive", entity_type: "user"
xhr :post, :export_entity, entity: "user_archive"
expect(response).to be_success
end
it "should not enqueue export job if rate limit is reached" do
Jobs::ExportCsvFile.any_instance.expects(:execute).never
UserExport.create(file_name: "user-archive-codinghorror-150116-003249", user_id: @user.id)
xhr :post, :export_entity, entity: "user_archive", entity_type: "user"
xhr :post, :export_entity, entity: "user_archive"
expect(response).not_to be_success
end
it "returns 404 when normal user tries to export admin entity" do
xhr :post, :export_entity, entity: "staff_action", entity_type: "admin"
xhr :post, :export_entity, entity: "staff_action"
expect(response).not_to be_success
end
end
@ -67,14 +67,14 @@ describe ExportCsvController do
describe ".export_entity" do
it "enqueues export job" do
Jobs.expects(:enqueue).with(:export_csv_file, has_entries(entity: "staff_action", user_id: @admin.id))
xhr :post, :export_entity, entity: "staff_action", entity_type: "admin"
xhr :post, :export_entity, entity: "staff_action"
expect(response).to be_success
end
it "should not rate limit export for staff" do
Jobs.expects(:enqueue).with(:export_csv_file, has_entries(entity: "staff_action", user_id: @admin.id))
UserExport.create(file_name: "screened-email-150116-010145", user_id: @admin.id)
xhr :post, :export_entity, entity: "staff_action", entity_type: "admin"
xhr :post, :export_entity, entity: "staff_action"
expect(response).to be_success
end
end