FIX: Stop category logo + background being marked secure (#10513)

Meta topic: https://meta.discourse.org/t/secure-media-uploads-breaks-category-logos/161693 Category backgrounds and logos are public uploads and should not be marked as secure. I also discovered that a lot of the UploadSecurity specs for public types were returning false positives; this has been fixed.
2025-05-22 22:43:33 +08:00 · 2020-08-24 17:12:28 +10:00
parent 05174df5c0
commit e8a842ab8c
2 changed files with 89 additions and 70 deletions
--- a/lib/upload_security.rb
+++ b/lib/upload_security.rb
@ -14,7 +14,10 @@
 # on the current secure? status, otherwise there would be a lot of additional
 # complex queries and joins to perform.
 class UploadSecurity
-  PUBLIC_TYPES = %w[avatar custom_emoji profile_background card_background]
+  PUBLIC_TYPES = %w[
+    avatar custom_emoji profile_background card_background category_logo category_background
+  ]
+
  def initialize(upload, opts = {})
    @upload = upload
    @opts = opts
@ -30,7 +33,12 @@ class UploadSecurity
  private

  def uploading_in_public_context?
-    @upload.for_theme || @upload.for_site_setting || @upload.for_gravatar || public_type? || used_for_custom_emoji? || based_on_regular_emoji?
+    @upload.for_theme ||
+      @upload.for_site_setting ||
+      @upload.for_gravatar ||
+      public_type? ||
+      used_for_custom_emoji? ||
+      based_on_regular_emoji?
  end

  def uploading_in_secure_context?