画像のバリデーションをMimeTypeを用いるものに変更

fjordllc · Sep 27, 2024 · 770c936 · 770c936
1 parent e6112b7
commit 770c936
Show file tree

Hide file tree

Showing 5 changed files with 22 additions and 5 deletions.
diff --git a/app/controllers/current_user_controller.rb b/app/controllers/current_user_controller.rb
@@ -8,6 +8,7 @@ def edit
   end
 
   def update
+    @user.uploaded_avatar = user_params[:avatar]
     if @user.update(user_params)
       redirect_to @user, notice: 'ユーザー情報を更新しました。'
     else

diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
@@ -65,6 +65,7 @@ def create
     @user.course_id = params[:user][:course_id] if params[:user][:course_id].present?
     @user.course_id ||= Course.first.id
     @user.build_discord_profile
+    @user.uploaded_avatar = user_params[:avatar]
     Newspaper.publish(:user_create, { user: @user })
     if @user.staff? || @user.trainee?
       create_free_user!

diff --git a/app/models/user.rb b/app/models/user.rb
@@ -193,11 +193,9 @@ class User < ApplicationRecord
 
   validates :login_name, length: { minimum: 3, message: 'は3文字以上にしてください。' }
 
-  validates :avatar, attached: false,
-                     content_type: {
-                       in: %w[image/png image/jpg image/jpeg image/gif image/heic image/heif],
-                       message: 'はPNG, JPG, GIF, HEIC, HEIF形式にしてください'
-                     }
+  attr_accessor :uploaded_avatar
+
+  validate :validate_uploaded_avatar_content_type
 
   validates :country_code, inclusion: { in: ISO3166::Country.codes }, allow_blank: true
 
@@ -855,4 +853,13 @@ def category_having_active_practice
   def category_having_unstarted_practice
     unstarted_practices&.first&.categories&.first
   end
+
+  def validate_uploaded_avatar_content_type
+    return unless uploaded_avatar
+
+    mime_type = Marcel::Magic.by_magic(uploaded_avatar)&.type
+    return if mime_type&.start_with?('image/png', 'image/jpg', 'image/jpeg', 'image/gif', 'image/heic', 'image/heif')
+
+    errors.add(:avatar, 'は指定された拡張子(PNG, JPG, GIF, HEIC, HEIF形式)になっていないか、あるいは画像が破損している可能性があります')
+  end
 end
diff --git a/test/fixtures/files/images/broken_image.jpg b/test/fixtures/files/images/broken_image.jpg
diff --git a/test/system/users_test.rb b/test/system/users_test.rb
@@ -689,4 +689,12 @@ class UsersTest < ApplicationSystemTestCase
     filtered_users = all('.users-item__icon .a-user-role')
     assert(filtered_users.all? { |user| user[:class].split(' ').include?('is-student') })
   end
+
+  test 'can not upload broken image as user avatar' do
+    visit_with_auth '/current_user/edit', 'hajime'
+    attach_file 'user[avatar]', 'test/fixtures/files/images/broken_image.jpg', make_visible: true
+    click_button '更新する'
+
+    assert_text 'ユーザーアイコンは指定された拡張子(PNG, JPG, GIF, HEIC, HEIF形式)になっていないか、あるいは画像が破損している可能性があります'
+  end
 end