SECURITY: only allow picking of avatars created by self (#6417)

* SECURITY: only allow picking of avatars created by self Also adds origin tracking to all uploads including de-duplicated uploads
2025-06-02 01:58:05 +08:00 · 2018-09-20 15:33:10 +10:00
parent e0be5145cf
commit df45e82377
10 changed files with 196 additions and 11 deletions
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@ -1770,9 +1770,13 @@ describe UsersController do
    end

    context 'while logged in' do
+      before do
+        sign_in(user)
+      end

-      let!(:user) { sign_in(Fabricate(:user)) }
-      let(:upload) { Fabricate(:upload) }
+      let(:upload) do
+        Fabricate(:upload, user: user)
+      end

      it "raises an error when you don't have permission to toggle the avatar" do
        another_user = Fabricate(:user)
@ -1809,6 +1813,9 @@ describe UsersController do
      end

      it 'can successfully pick a gravatar' do
+
+        user.user_avatar.update_columns(gravatar_upload_id: upload.id)
+
        put "/u/#{user.username}/preferences/avatar/pick.json", params: {
          upload_id: upload.id, type: "gravatar"
        }
@ -1818,6 +1825,16 @@ describe UsersController do
        expect(user.user_avatar.reload.gravatar_upload_id).to eq(upload.id)
      end

+      it 'can not pick uploads that were not created by user' do
+        upload2 = Fabricate(:upload)
+
+        put "/u/#{user.username}/preferences/avatar/pick.json", params: {
+          upload_id: upload2.id, type: "custom"
+        }
+
+        expect(response.status).to eq(403)
+      end
+
      it 'can successfully pick a custom avatar' do
        put "/u/#{user.username}/preferences/avatar/pick.json", params: {
          upload_id: upload.id, type: "custom"
@ -2268,7 +2285,7 @@ describe UsersController do
      end

      it "raises an error when logged in" do
-        moderator = sign_in(Fabricate(:moderator))
+        sign_in(Fabricate(:moderator))
        post_user

        put "/u/update-activation-email.json", params: {
@ -2280,7 +2297,7 @@ describe UsersController do

      it "raises an error when the new email is taken" do
        active_user = Fabricate(:user)
-        user = post_user
+        post_user

        put "/u/update-activation-email.json", params: {
          email: active_user.email
@ -2290,7 +2307,7 @@ describe UsersController do
      end

      it "raises an error when the email is blacklisted" do
-        user = post_user
+        post_user
        SiteSetting.email_domains_blacklist = 'example.com'
        put "/u/update-activation-email.json", params: { email: 'test@example.com' }
        expect(response.status).to eq(422)