SECURITY: Don't pass email backup token to sidekiq as a parameter.

* This exposes the token in the Sidekiq dashboard which can be
  viewed by an admin and defeats the purpose of using a token
  in the download backup email ink.
This commit is contained in:
Guo Xiang Tan
2017-12-18 11:25:22 +08:00
parent 433ef4513b
commit 97ceebb570
5 changed files with 61 additions and 29 deletions

View File

@ -127,27 +127,6 @@ describe Admin::BackupsController do
end
describe ".email" do
let(:b) { Backup.new(backup_filename) }
it "enqueues email job" do
Backup.expects(:[]).with(backup_filename).returns(b)
Jobs.expects(:enqueue).with(:download_backup_email, has_entries(to_address: @admin.email))
put :email, params: { id: backup_filename }, format: :json
expect(response).to be_success
end
it "returns 404 when the backup does not exist" do
put :email, params: { id: backup_filename }, format: :json
expect(response).to be_not_found
end
end
describe ".destroy" do
let(:b) { Backup.new(backup_filename) }