fix that private texture can be used as avatar

This commit is contained in:
Pig Fang 2020-08-20 10:14:38 +08:00
parent 3c6325ca46
commit d75a7d3ead
No known key found for this signature in database
GPG Key ID: A8198F548DADA9E2
4 changed files with 29 additions and 9 deletions

View File

@ -329,6 +329,14 @@ class UserController extends Controller
return json(trans('user.profile.avatar.wrong-type'), 1);
}
if (
!$texture->public &&
$user->uid !== $texture->uploader &&
!$user->isAdmin()
) {
return json(trans('skinlib.show.private'), 1);
}
$user->avatar = $tid;
$user->save();

View File

@ -13,3 +13,4 @@
- Fixed that previews and avatars cannot be indivdually cached by image format.
- Fixed that message for private textures doesn't match with HTTP status code.
- Fixed that texture isn't checked if it's existed in closet when being applied to player.
- Fixed that private texture can be used as avatar.

View File

@ -13,3 +13,4 @@
- 修复预览图和头像不能根据图像格式来单独缓存的问题
- 修复针对私有材质的错误消息不与 HTTP 状态码相符的问题
- 修复应用材质到角色时未检查材质是否在衣柜中的问题
- 修复可将私有材质设为头像的问题

View File

@ -4,6 +4,7 @@ namespace Tests;
use App\Events;
use App\Mail\EmailVerification;
use App\Models\Texture;
use App\Models\User;
use Blessing\Filter;
use Blessing\Rejection;
@ -507,20 +508,20 @@ class UserControllerTest extends TestCase
{
$user = factory(User::class)->create();
$uid = $user->uid;
$steve = factory(\App\Models\Texture::class)->create();
$cape = factory(\App\Models\Texture::class)->states('cape')->create();
$steve = factory(Texture::class)->create();
$cape = factory(Texture::class)->states('cape')->create();
// Without `tid` field
// without `tid` field
$this->actingAs($user)
->postJson('/user/profile/avatar')
->assertJsonValidationErrors('tid');
// TID is not a integer
// `tid` is not a integer
$this->actingAs($user)
->postJson('/user/profile/avatar', ['tid' => 'string'])
->assertJsonValidationErrors('tid');
// Texture cannot be found
// texture cannot be found
$this->actingAs($user)
->postJson('/user/profile/avatar', ['tid' => -1])
->assertJson([
@ -528,7 +529,7 @@ class UserControllerTest extends TestCase
'message' => trans('skinlib.non-existent'),
]);
// Use cape
// use cape
$this->actingAs($user)
->postJson('/user/profile/avatar', ['tid' => $cape->tid])
->assertJson([
@ -536,7 +537,16 @@ class UserControllerTest extends TestCase
'message' => trans('user.profile.avatar.wrong-type'),
]);
// Success
// use private texture
$private = factory(Texture::class)->state('private')->create();
$this->actingAs($user)
->postJson('/user/profile/avatar', ['tid' => $private->tid])
->assertJson([
'code' => 1,
'message' => trans('skinlib.show.private'),
]);
// success
Event::fake();
$this->actingAs($user)
->postJson('/user/profile/avatar', ['tid' => $steve->tid])
@ -566,7 +576,7 @@ class UserControllerTest extends TestCase
}
);
// Reset avatar
// reset avatar
Event::fake();
$this->postJson('/user/profile/avatar', ['tid' => 0])
->assertJson(['code' => 0]);
@ -582,7 +592,7 @@ class UserControllerTest extends TestCase
}
);
// Rejected by filter
// rejected by filter
$filter = resolve(Filter::class);
$filter->add('user_can_update_avatar', function ($can, $user, $tid) use ($uid, $steve) {
$this->assertEquals($uid, $user->uid);