0a70e51f74
Also redirect to it for download, for Amazon S3 compatibility. Prior to this patch an attacker could obtain an users export by guessing the filename with a high chance of success. Fully authenticating the download request is a lot harder due to our diverse deployment scenarios. This brings the used method in line with the photo export feature. Thanks to @tomekr for the report.
17 lines
351 B
Ruby
17 lines
351 B
Ruby
# Copyright (c) 2010-2011, Diaspora Inc. This file is
|
|
# licensed under the Affero General Public License version 3 or later. See
|
|
# the COPYRIGHT file.
|
|
|
|
class ExportedPhotos < SecureUploader
|
|
|
|
def store_dir
|
|
"uploads/users"
|
|
end
|
|
|
|
def filename
|
|
"#{model.username}_photos_#{secure_token}.zip" if original_filename.present?
|
|
end
|
|
|
|
|
|
|
|
end
|