Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional avatar REST checks #317

Merged
merged 2 commits into from
Nov 14, 2024
Merged

Additional avatar REST checks #317

merged 2 commits into from
Nov 14, 2024

Conversation

dkotter
Copy link
Collaborator

@dkotter dkotter commented Nov 12, 2024

Description of the Change

Users with access to the user REST endpoint can use that to set their avatar. Additional checks were added in the last release but a few other areas of concern came up:

  1. We allow any valid attachment ID to be set, including things like PDFs or videos. We change that here to ensure the attachment ID is associated with an image only
  2. Any valid attachment ID can be used, even if that ID wasn't an image uploaded by the user. We change that here to only proceed if the attachment ID they are using is an attachment associated with their account. This means any images uploaded by another user aren't allowed to be used

Note

While these changes make things more secure, this could be seen as a breaking change if someone is used to a workflow where one user uploads images and other users then set those images as their avatar via a REST request. I can't imagine that's common (if anyone is doing that at all) but worth flagging

How to test the Change

Make authenticated requests to the user endpoint, passing in the proper data and ensuring the avatar gets set correctly and rejected correctly. For instance, try passing in an attachment ID that doesn't exit, that does exist but isn't an image, that is an image that your user uploaded, that is an image that a different user uploaded. Ping me for full details if needed.

Changelog Entry

Changed - Only allow images that were uploaded by the same user be used when setting the avatar via a REST request
Fixed - Only allow image files to be set as the avatar in REST requests

Credits

Props @dkotter, @justus12337

Checklist:

@dkotter dkotter added this to the Future Release milestone Nov 12, 2024
@dkotter dkotter self-assigned this Nov 12, 2024
@dkotter dkotter requested a review from jeffpaul as a code owner November 12, 2024 21:07
@github-actions github-actions bot added the needs:code-review This requires code review. label Nov 12, 2024
@dkotter dkotter requested a review from faisal-alvi November 12, 2024 21:13
Copy link
Member

@faisal-alvi faisal-alvi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tests well ✅

Passing in an attachment ID that doesn't exists

image


That does exist but isn't an image (PDF)

image


That is an image that your user uploaded

image


That is an image that a different user uploaded

image

@dkotter dkotter modified the milestones: Future Release, 2.8.3 Nov 14, 2024
@dkotter dkotter merged commit 6fa814e into develop Nov 14, 2024
17 checks passed
@dkotter dkotter deleted the fix/avatar-set-user-check branch November 14, 2024 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
needs:code-review This requires code review.
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

2 participants