local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

feat: restrict max avatar size

Browse source 
resolves #1171
This commit is contained in:
kolaente 2022-06-12 18:29:12 +02:00
parent 172a6214d7
commit 2f25b48869
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
7 changed files with 26 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config.yml.sample
View file

@ -56,6 +56,9 @@ service:
# it may be required to coordinate with them in order to delete the account. This setting will not affect the cli commands
# for user deletion.
enableuserdeletion: true
# The maximum size clients will be able to request for user avatars.
# If clients request a size bigger than this, it will be changed on the fly.
maxavatarsize: 1024
database:
# Database type to use. Supported types are mysql, postgres and sqlite.

12
docs/content/doc/setup/config.md
View file

@ -321,6 +321,18 @@ Full path: `service.enableuserdeletion`
Environment path: `VIKUNJA_SERVICE_ENABLEUSERDELETION`
### maxavatarsize
The maximum size clients will be able to request for user avatars.
If clients request a size bigger than this, it will be changed on the fly.
Default: `1024`
Full path: `service.maxavatarsize`
Environment path: `VIKUNJA_SERVICE_MAXAVATARSIZE`
---
## database

2
pkg/config/config.go
View file

@ -62,6 +62,7 @@ const (
ServiceTestingtoken Key = `service.testingtoken`
ServiceEnableEmailReminders Key = `service.enableemailreminders`
ServiceEnableUserDeletion Key = `service.enableuserdeletion`
ServiceMaxAvatarSize Key = `service.maxavatarsize`
AuthLocalEnabled Key = `auth.local.enabled`
AuthOpenIDEnabled Key = `auth.openid.enabled`
@ -287,6 +288,7 @@ func InitDefaultConfig() {
ServiceEnableTotp.setDefault(true)
ServiceEnableEmailReminders.setDefault(true)
ServiceEnableUserDeletion.setDefault(true)
ServiceMaxAvatarSize.setDefault(1024)
// Auth
AuthLocalEnabled.setDefault(true)

6
pkg/routes/api/v1/avatar.go
View file

@ -17,6 +17,7 @@
package v1
import (
"code.vikunja.io/api/pkg/config"
"code.vikunja.io/api/pkg/db"
"code.vikunja.io/api/pkg/files"
"code.vikunja.io/api/pkg/log"
@ -49,7 +50,7 @@ import (
// @tags user
// @Produce octet-stream
// @Param username path string true "The username of the user who's avatar you want to get"
// @Param size query int false "The size of the avatar you want to get"
// @Param size query int false "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size."
// @Success 200 {} blob "The avatar"
// @Failure 404 {object} models.Message "The user does not exist."
// @Failure 500 {object} models.Message "Internal error"
@ -97,6 +98,9 @@ func GetAvatar(c echo.Context) error {
return handler.HandleHTTPError(err, c)
}
}
if sizeInt > config.ServiceMaxAvatarSize.GetInt64() {
sizeInt = config.ServiceMaxAvatarSize.GetInt64()
}
// Get the avatar
a, mimeType, err := avatarProvider.GetAvatar(u, sizeInt)

2
pkg/swagger/docs.go
View file

@ -7537,7 +7537,7 @@ const docTemplate = `{
},
{
"type": "integer",
"description": "The size of the avatar you want to get",
"description": "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size.",
"name": "size",
"in": "query"
}

2
pkg/swagger/swagger.json
View file

@ -7528,7 +7528,7 @@
},
{
"type": "integer",
"description": "The size of the avatar you want to get",
"description": "The size of the avatar you want to get. If bigger than the max configured size this will be adjusted to the maximum size.",
"name": "size",
"in": "query"
}

3
pkg/swagger/swagger.yaml
View file

@ -1433,7 +1433,8 @@ paths:
name: username
required: true
type: string
- description: The size of the avatar you want to get
- description: The size of the avatar you want to get. If bigger than the max
configured size this will be adjusted to the maximum size.
in: query
name: size
type: integer