Image upload with synchronous true for new users


(Kenneth L. Jakobsen) #1

When i try to uploade a image with a user that is not a admin or moderator i get the success : “OK” insted of the image url. Hobe some one can help with a answer.

$.ajax({
    url: "/uploads.json",
    type: "post",
    data: formData,
    processData: false,
    contentType: false,
    headers: {
         'X-CSRF-Token': getCsrftoken()
   },
   success: function (data) {},
   error: function (XMLHttpRequest, textStatus, errorThrown) {}
});

How to get uploaded image url using the Discourse API?
(Jeff Atwood) #2

Sure, @techapj will take a look and get back to you


(Arpit Jalan) #3

Hi Kenneth,

I am not understanding what is the issue here.

I just verified that image upload works fine for both staff and non-staff users.


(Kenneth L. Jakobsen) #4

Hi
I am using the api with the synchronous true parameter to get the image url back with the responce. But this only works with admin and moderators and i cant find out why.

admin formdata send

    ------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="username"

kenneth
------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="type"

image/jpeg
------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="file"; filename="Ballocity4.jpg"
Content-Type: image/jpeg


------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="synchronous"

true
------WebKitFormBoundary6ez66C4lWix1aPev--

normal user

------WebKitFormBoundary1ntANOhhef17w01u
Content-Disposition: form-data; name="username"

Kenneth_Jakobsen
------WebKitFormBoundary1ntANOhhef17w01u
Content-Disposition: form-data; name="type"

image/jpeg
------WebKitFormBoundary1ntANOhhef17w01u
Content-Disposition: form-data; name="file"; filename="8589655248_7fe6db1efc_b.jpg"
Content-Type: image/jpeg


------WebKitFormBoundary1ntANOhhef17w01u
Content-Disposition: form-data; name="synchronous"

true
------WebKitFormBoundary1ntANOhhef17w01u--

Admin is working but not the normal one.


(Régis Hanol) #5

Can you explain what you’re doing exactly? Why/how are you uploading images with “synchronous=true”?


(Kenneth L. Jakobsen) #6

Im creating a new editor for the company pleasecreate and are using the file upload api with the synchronous true parameter. When the image is uploaded i use the url from the response data in the post. The problem is that when a user that is not admin or moderator upload a image the response data only contains {“success”:“OK”}. and not the url. The code working for admin and moderators is shown below.

post request

$.ajax({
        url: "/uploads.json",
        type: "post",
        data: formData,
        processData: false,
        contentType: false,
        headers: {
             'X-CSRF-Token': getCsrftoken()
       },
       success: function (data) {
             var image = "<img src='" + data.url + "' width='" + data.width + "' height='" + data.height + "'/>";
       },
       error: function (XMLHttpRequest, textStatus, errorThrown) {}
    });

formdata

------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="username"

kenneth
------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="type"

image/jpeg
------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="file"; filename="Ballocity4.jpg"
Content-Type: image/jpeg


------WebKitFormBoundary6ez66C4lWix1aPev
Content-Disposition: form-data; name="synchronous"

true
------WebKitFormBoundary6ez66C4lWix1aPev--

(Richard - DiscourseHosting.com) #7

There is an explicit check in the code for staff users with regard to synchronous uploads. I don’t know why this is done but this is clearly the cause.
Why is the synchronous upload limited to staff users or API usage?


(Sam Saffron) #8

Its a security concern opening this up any wider, it would make it trivial exhaust unicorn workers really fast we opened this up.


(Régis Hanol) #9

Since we might do a CPU-intensive process when images are uploaded, we have to ensure users don’t DDoS the instance by uploading lots of very large images.

Initially, synchronous mode was only available via the API. @eviltrout recently allowed staff members too when he added the wizard.

(ninja’d)


Warning for new messages while writing to topic
(Kenneth L. Jakobsen) #10

hi thanks for the clarification and answer