github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2025-05-30 15:28:37 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

SECURITY: only allow picking of avatars created by self (#6417)

Browse Source 
* SECURITY: only allow picking of avatars created by self

Also adds origin tracking to all uploads including de-duplicated uploads
This commit is contained in:
Sam
2018-09-20 15:33:10 +10:00
committed by Guo Xiang Tan
parent e0be5145cf
commit df45e82377
10 changed files with 196 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
lib/guardian/user_guardian.rb
View File

@ -1,6 +1,23 @@
# mixin for all Guardian methods dealing with user permissions
module UserGuardian
def can_pick_avatar?(user_avatar, upload)
return false unless self.user
return true if is_admin?
# can always pick blank avatar
return true if !upload
return true if user_avatar.contains_upload?(upload.id)
return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id
UserUpload.exists?(
upload_id: upload.id,
user_id: [upload.user_id, user.id]
)
end
def can_edit_user?(user)
is_me?(user) || is_staff?
end