SECURITY: only allow picking of avatars created by self (#6417)

* SECURITY: only allow picking of avatars created by self Also adds origin tracking to all uploads including de-duplicated uploads
2025-05-21 18:12:32 +08:00 · 2018-09-20 15:33:10 +10:00
parent e0be5145cf
commit df45e82377
10 changed files with 196 additions and 11 deletions
--- a/lib/upload_creator.rb
+++ b/lib/upload_creator.rb
@ -74,7 +74,10 @@ class UploadCreator
      end

      # return the previous upload if any
-      return @upload unless @upload.nil?
+      if @upload
+        UserUpload.find_or_create_by!(user_id: user_id, upload_id: @upload.id) if user_id
+        return @upload
+      end

      fixed_original_filename = nil
      if is_image
@ -132,6 +135,10 @@ class UploadCreator
        Jobs.enqueue(:create_avatar_thumbnails, upload_id: @upload.id, user_id: user_id)
      end

+      if @upload.errors.empty?
+        UserUpload.find_or_create_by!(user_id: user_id, upload_id: @upload.id) if user_id
+      end
+
      @upload
    end
  ensure