SECURITY: Users can pick non-avatar uploads.

https://meta.discourse.org/t/bug-report-idor-on-avatar-pick-function-discussions-udacity-com/103564
discourse · Dec 18, 2018 · 5c2e194 · 5c2e194
1 parent 899caf3
commit 5c2e194
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 16 deletions.
diff --git a/lib/guardian/user_guardian.rb b/lib/guardian/user_guardian.rb
@@ -3,19 +3,13 @@ module UserGuardian
 
   def can_pick_avatar?(user_avatar, upload)
     return false unless self.user
-
     return true if is_admin?
-
     # can always pick blank avatar
     return true if !upload
-
     return true if user_avatar.contains_upload?(upload.id)
     return true if upload.user_id == user_avatar.user_id || upload.user_id == user.id
 
-    UserUpload.exists?(
-      upload_id: upload.id,
-      user_id: [upload.user_id, user.id]
-    )
+    UserUpload.exists?(upload_id: upload.id, user_id: user.id)
   end
 
   def can_edit_user?(user)

diff --git a/spec/components/guardian/user_guardian_spec.rb b/spec/components/guardian/user_guardian_spec.rb
@@ -14,8 +14,8 @@
     Fabricate.build(:admin, id: 3)
   end
 
-  let :user_avatar do
-    UserAvatar.new(user_id: user.id)
+  let(:user_avatar) do
+    Fabricate(:user_avatar, user: user)
   end
 
   let :users_upload do
@@ -54,19 +54,24 @@
       it "can not set uploads not owned by current user" do
         expect(guardian.can_pick_avatar?(user_avatar, users_upload)).to eq(true)
         expect(guardian.can_pick_avatar?(user_avatar, already_uploaded)).to eq(true)
+
+        UserUpload.create!(
+          upload_id: not_my_upload.id,
+          user_id: not_my_upload.user_id
+        )
+
         expect(guardian.can_pick_avatar?(user_avatar, not_my_upload)).to eq(false)
         expect(guardian.can_pick_avatar?(user_avatar, nil)).to eq(true)
       end
 
       it "can handle uploads that are associated but not directly owned" do
-        yes_my_upload = not_my_upload
-        UserUpload.create!(upload_id: yes_my_upload.id, user_id: user_avatar.user_id)
-        expect(guardian.can_pick_avatar?(user_avatar, yes_my_upload)).to eq(true)
-
-        UserUpload.destroy_all
+        UserUpload.create!(
+          upload_id: not_my_upload.id,
+          user_id: user_avatar.user_id
+        )
 
-        UserUpload.create!(upload_id: yes_my_upload.id, user_id: yes_my_upload.user_id)
-        expect(guardian.can_pick_avatar?(user_avatar, yes_my_upload)).to eq(true)
+        expect(guardian.can_pick_avatar?(user_avatar, not_my_upload))
+          .to eq(true)
       end
     end