FIX: Post uploads setting access_control_post_id unnecessarily (#26627)

This commit addresses an issue for sites where secure_uploads is turned on after the site has been operating without it for some time. When uploads are linked when they are used inside a post, we were setting the access_control_post_id unconditionally if it was NULL to that post ID and secure_uploads was true. However this causes issues if an upload has been used in a few different places, especially if a post was previously used in a PM and marked secure, so we end up with a case of the upload using a public post for its access control, which causes URLs to not use the /secure-uploads/ path in the post, breaking things like image uploads. We should only set the access_control_post_id if the post is the first time the upload is referenced so it cannot hijack uploads from other places.
2025-05-28 13:51:18 +08:00 · 2024-04-16 10:37:57 +10:00
parent 9a5eca04fb
commit cdc8e9de1b
5 changed files with 73 additions and 22 deletions
--- a/app/models/upload_reference.rb
+++ b/app/models/upload_reference.rb
@ -6,6 +6,10 @@ class UploadReference < ActiveRecord::Base

  delegate :to_markdown, to: :upload

+  def target?(target_to_check)
+    self.target_id == target_to_check.id && self.target_type == target_to_check.class.to_s
+  end
+
  def self.ensure_exist!(upload_ids: [], target: nil, target_type: nil, target_id: nil)
    if !target && !(target_type && target_id)
      raise "target OR target_type and target_id are required"