mirror of
https://github.com/discourse/discourse.git
synced 2025-05-29 01:31:35 +08:00
SECURITY: Don't pass email backup token to sidekiq as a parameter.
* This exposes the token in the Sidekiq dashboard which can be viewed by an admin and defeats the purpose of using a token in the download backup email ink.
This commit is contained in:
@ -127,27 +127,6 @@ describe Admin::BackupsController do
|
||||
|
||||
end
|
||||
|
||||
describe ".email" do
|
||||
|
||||
let(:b) { Backup.new(backup_filename) }
|
||||
|
||||
it "enqueues email job" do
|
||||
Backup.expects(:[]).with(backup_filename).returns(b)
|
||||
Jobs.expects(:enqueue).with(:download_backup_email, has_entries(to_address: @admin.email))
|
||||
|
||||
put :email, params: { id: backup_filename }, format: :json
|
||||
|
||||
expect(response).to be_success
|
||||
end
|
||||
|
||||
it "returns 404 when the backup does not exist" do
|
||||
put :email, params: { id: backup_filename }, format: :json
|
||||
|
||||
expect(response).to be_not_found
|
||||
end
|
||||
|
||||
end
|
||||
|
||||
describe ".destroy" do
|
||||
|
||||
let(:b) { Backup.new(backup_filename) }
|
||||
|
Reference in New Issue
Block a user