LeadMagnet/leadchat
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity

chore: Security Improvements to the API (#2893)

Browse Source 
- Devise auth tokens are reset on password update
- Avatar attachment file type is limited to jpeg,gif and png
- Avatar attachment file size is limited to 15 mb
- Widget Message attachments are limited to types ['image/png', 'image/jpeg', 'image/gif', 'image/bmp', 'image/tiff', 'application/pdf', 'audio/mpeg', 'video/mp4', 'audio/ogg', 'text/csv']
- Widget Message attachments are limited to 40Mb size limit.
This commit is contained in:
Sojan Jose
2021-09-01 15:08:05 +05:30
committed by GitHub
parent 06d8916341
commit 6fdd4a2996
9 changed files with 60 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/models/concerns/avatarable.rb
View File

@@ -6,6 +6,7 @@ module Avatarable
included do
has_one_attached :avatar
validate :acceptable_avatar
end
def avatar_url
@@ -18,4 +19,13 @@ module Avatarable
''
end
def acceptable_avatar
return unless avatar.attached?
errors.add(:avatar, 'is too big') if avatar.byte_size > 15.megabytes
acceptable_types = ['image/jpeg', 'image/png', 'image/gif'].freeze
errors.add(:avatar, 'filetype not supported') unless acceptable_types.include?(avatar.content_type)
end
end