github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-29 01:31:35 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: Don't pass email backup token to sidekiq as a parameter.

Browse Source 
* This exposes the token in the Sidekiq dashboard which can be
  viewed by an admin and defeats the purpose of using a token
  in the download backup email ink.
This commit is contained in:
Guo Xiang Tan
2017-12-18 11:25:22 +08:00
parent 433ef4513b
commit 97ceebb570
5 changed files with 61 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
spec/controllers/admin/backups_controller_spec.rb
View File

@ -127,27 +127,6 @@ describe Admin::BackupsController do
end
describe ".email" do
let(:b) { Backup.new(backup_filename) }
it "enqueues email job" do
Backup.expects(:[]).with(backup_filename).returns(b)
Jobs.expects(:enqueue).with(:download_backup_email, has_entries(to_address: @admin.email))
put :email, params: { id: backup_filename }, format: :json
expect(response).to be_success
end
it "returns 404 when the backup does not exist" do
put :email, params: { id: backup_filename }, format: :json
expect(response).to be_not_found
end
end
describe ".destroy" do
let(:b) { Backup.new(backup_filename) }