This is an automated email from the ASF dual-hosted git repository.
LinkinStars pushed a commit to branch fix/2.0.1/chat
in repository https://gitbox.apache.org/repos/asf/answer.git
The following commit(s) were added to refs/heads/fix/2.0.1/chat by this push:
new 11091244 fix(user): enhance avatar validation by adding checks for
custom avatars and file ownership
11091244 is described below
commit 11091244f64e5a7e472edcd477c1ff4124eca7c3
Author: LinkinStars <[email protected]>
AuthorDate: Mon May 11 12:05:18 2026 +0800
fix(user): enhance avatar validation by adding checks for custom avatars
and file ownership
---
internal/service/content/user_service.go | 39 ++++++++++++++++++++++
.../service/siteinfo_common/siteinfo_service.go | 5 +++
2 files changed, 44 insertions(+)
diff --git a/internal/service/content/user_service.go
b/internal/service/content/user_service.go
index 711d6caa..42a2efda 100644
--- a/internal/service/content/user_service.go
+++ b/internal/service/content/user_service.go
@@ -353,6 +353,10 @@ func (us *UserService) UpdateInfo(ctx context.Context, req
*schema.UpdateInfoReq
if !exist {
return nil, errors.BadRequest(reason.UserNotFound)
}
+ errFields, err = us.validateAvatarInfo(ctx, req.UserID,
oldUserInfo.Avatar, req.Avatar)
+ if err != nil {
+ return errFields, err
+ }
cond := us.formatUserInfoForUpdateInfo(oldUserInfo, req)
@@ -366,6 +370,41 @@ func (us *UserService) UpdateInfo(ctx context.Context, req
*schema.UpdateInfoReq
return nil, err
}
+func (us *UserService) validateAvatarInfo(
+ ctx context.Context,
+ userID string,
+ oldAvatarJSON string,
+ newAvatar schema.AvatarInfo,
+) (errFields []*validator.FormErrorField, err error) {
+ if newAvatar.Type != constant.AvatarTypeCustom {
+ return nil, nil
+ }
+ if len(newAvatar.Custom) == 0 {
+ return append(errFields, &validator.FormErrorField{
+ ErrorField: "avatar",
+ ErrorMsg: reason.UserSetAvatar,
+ }), errors.BadRequest(reason.UserSetAvatar)
+ }
+
+ var oldAvatar schema.AvatarInfo
+ _ = json.Unmarshal([]byte(oldAvatarJSON), &oldAvatar)
+ if oldAvatar.Type == constant.AvatarTypeCustom && oldAvatar.Custom ==
newAvatar.Custom {
+ return nil, nil
+ }
+
+ fileRecord, err := us.fileRecordService.GetFileRecordByURL(ctx,
newAvatar.Custom)
+ if err != nil {
+ return nil, err
+ }
+ if fileRecord == nil || fileRecord.UserID != userID ||
fileRecord.Source != string(plugin.UserAvatar) {
+ return append(errFields, &validator.FormErrorField{
+ ErrorField: "avatar",
+ ErrorMsg: reason.UserSetAvatar,
+ }), errors.BadRequest(reason.UserSetAvatar)
+ }
+ return nil, nil
+}
+
func (us *UserService) cleanUpRemovedAvatar(
ctx context.Context,
oldAvatarJSON string,
diff --git a/internal/service/siteinfo_common/siteinfo_service.go
b/internal/service/siteinfo_common/siteinfo_service.go
index 90d48fc3..5e3964c0 100644
--- a/internal/service/siteinfo_common/siteinfo_service.go
+++ b/internal/service/siteinfo_common/siteinfo_service.go
@@ -27,6 +27,7 @@ import (
"github.com/apache/answer/internal/base/constant"
"github.com/apache/answer/internal/entity"
"github.com/apache/answer/internal/schema"
+ "github.com/apache/answer/pkg/checker"
"github.com/apache/answer/pkg/gravatar"
"github.com/segmentfault/pacman/log"
)
@@ -158,6 +159,10 @@ func (s *siteInfoCommonService) selectedAvatar(
email string, userStatus int) *schema.AvatarInfo {
avatarInfo := &schema.AvatarInfo{}
_ = json.Unmarshal([]byte(originalAvatarData), avatarInfo)
+ if len(avatarInfo.Type) == 0 && checker.IsURL(originalAvatarData) {
+ avatarInfo.Type = constant.AvatarTypeCustom
+ avatarInfo.Custom = originalAvatarData
+ }
if userStatus == entity.UserStatusDeleted {
return &schema.AvatarInfo{
