上传头像大小和图片类型在后台加入限制,且通过测试

app/controllers/avatar_controller.rb

@@ -1,9 +1,9 @@
 class AvatarController < ApplicationController
-  
+
-     
+  include ActionView::Helpers::NumberHelper
   #before_filter :set_cache_buster   
   include AvatarHelper
-      
+
   def upload
     # Make sure that API users get used to set this content type
     # as it won't trigger Rails' automatic parsing of the request body for parameters
@@ -29,43 +29,51 @@ class AvatarController < ApplicationController
     end
 
     if  @temp_file && (@temp_file.size > 0)
-      diskfile=disk_filename(@source_type,@source_id)
+      if @temp_file.size > Setting.upload_avatar_max_size.to_i
-      @urlfile='/' << File.join("images","avatars",avatar_directory(@source_type),avatar_filename(@source_id,@image_file))
+        @status = 1
+        @msg = l(:error_upload_avatar_to_large, :max_size => number_to_human_size(Setting.upload_avatar_max_size.to_i))
+      elsif Trustie::Utils::Image.new(@temp_file.tempfile.path).image?
+        diskfile=disk_filename(@source_type,@source_id)
+        @urlfile='/' << File.join("images","avatars",avatar_directory(@source_type),avatar_filename(@source_id,@image_file))
 
-      # 用户头像上传时进行特别处理
+        # 用户头像上传时进行特别处理
-      if  @source_type == 'User'
+        if  @source_type == 'User'
           diskfile += "temp"
           @urlfile += "temp"
-      end
+        end
 
-      logger.info("Saving avatar '#{diskfile}' (#{@temp_file.size} bytes)")
+        logger.info("Saving avatar '#{diskfile}' (#{@temp_file.size} bytes)")
-      path = File.dirname(diskfile)
+        path = File.dirname(diskfile)
-      unless File.directory?(path)
+        unless File.directory?(path)
-        FileUtils.mkdir_p(path)
+          FileUtils.mkdir_p(path)
-      end
+        end
-      md5 = Digest::MD5.new
+        md5 = Digest::MD5.new
-      File.open(diskfile, "wb") do |f|
+        File.open(diskfile, "wb") do |f|
-        if @temp_file.respond_to?(:read)
+          if @temp_file.respond_to?(:read)
-          buffer = ""
+            buffer = ""
-          while (buffer = @temp_file.read(8192))
+            while (buffer = @temp_file.read(8192))
-            f.write(buffer)
+              f.write(buffer)
-            md5.update(buffer)
+              md5.update(buffer)
+            end
+          else
+            f.write(@temp_file)
+            md5.update(@temp_file)
           end
-        else
-        f.write(@temp_file)
-        md5.update(@temp_file)
         end
+
+        Trustie::Utils::Image.new(diskfile,true).compress(300)
+        @status = 0
+        @msg = ''
+      else
+        @status = 2
+        @msg = l(:not_valid_image_file)
       end
-#    self.digest = md5.hexdigest
     end
     @temp_file = nil
 
-    image = Trustie::Utils::Image.new(diskfile,true)
-    image.compress(300)
-
     respond_to do |format|
       format.json{
-        render :inline => "#{@urlfile.to_s}?#{Time.now.to_i}",:content_type => 'text/html'
+        render :inline => {status: @status, message:@msg, url:"#{@urlfile.to_s}?#{Time.now.to_i}"}.to_json,:content_type => 'text/html'
         return
       }
       format.js

config/locales/en.yml

@@ -1521,4 +1521,5 @@ en:
   label_commit_failed: commit failed
   #api end
   error_upload_avatar_to_large: "too big (%{max_size})"
+  not_valid_image_file: not a valid image file
 

config/locales/zh.yml

@@ -1984,3 +1984,4 @@ zh:
   label_code: 代码
 
   error_upload_avatar_to_large: "超过大小限制 (%{max_size})"
+  not_valid_image_file: 不是有效的图片文件

lib/trustie/utils/image.rb

@@ -3,11 +3,37 @@
 module Trustie
   module Utils
     class Image
-      def initialize(file, bak)
+      def initialize(file, bak=false)
         @file = file
         @bak = bak
       end
 
+      def bitmap?(data)
+        data[0,2]==77.chr + 66.chr
+      end
+
+      def gif?(data)
+        data[0,4]==71.chr + 73.chr + 70.chr + 56.chr
+      end
+
+      def jpeg?(data)
+        data[0,4]== 0xff.chr + 0xd8.chr + 0xff.chr + 0xe0.chr
+      end
+      def png?(data)
+        data[0,2]==0x89.chr + 80.chr
+      end
+
+      def image?
+        begin
+          f = File.open(@file,'rb')  # rb means to read using binary
+          return false if f.size < 9
+          data = f.read(9)              # magic numbers are up to 9 bytes
+          return bitmap?(data) || gif?(data) || jpeg?(data) || png?(data)
+        ensure
+          f.close
+        end
+      end
+
       def compress(size=300)
         backup if @bak
         begin

public/javascripts/jq-upload/upload.js

@@ -44,9 +44,18 @@ $(function() {
         },
         done: function(e, data) {
             var imgSpan = jQuery('#avatar_image');
-            imgSpan.attr({
+            var result = data.result.text ? data.result.text() : data.result;
-                "src": data.result.text ? data.result.text() : data.result
+            if(result){
-            });
+              var o = JSON.parse(result);
+              if(o.status == 0){
+                imgSpan.attr({
+                  "src": o.url
+                });
+              } else {
+                alert(o.message);
+              }
+            }
+
         }
     });
 });

spec/requests/course_request_spec.rb

@@ -35,13 +35,53 @@ RSpec.describe "课程", :type => :request do
     context "修改课程图片" do
       include Rack::Test::Methods
       let(:avatar) {Rack::Test::UploadedFile.new("#{Rails.root}/spec/fixtures/test.jpg",'image/jpg')}
+
       context "正常图片上传成功" do
         subject(:resp) {post upload_avatar_path(source_type: 'Course', source_id: course.id, format: :json),"avatar"=>{image: avatar}}
         it{ expect(subject).to be_ok }
         it{ expect(subject.body).not_to be_empty }
+        it "状态要为0" do
+          o = ActiveSupport::JSON.decode(subject.body)
+          expect(o["status"]).to eq(0)
+        end
+        it "要回传图片地址" do
+          o = ActiveSupport::JSON.decode(subject.body)
+          expect(o["url"]).not_to be_empty
+        end
+      end
+
+      context "不是图片，上传失败" do
+        let(:invalid_avatar) {Rack::Test::UploadedFile.new("#{Rails.root}/spec/fixtures/hah.txt",'text/plain')}
+        before do
+         resp = post upload_avatar_path(source_type: 'Course', source_id: course.id, format: :json),"avatar"=>{image: invalid_avatar}
+         @o = ActiveSupport::JSON.decode(resp.body)
+        end
+        it "状态要为0" do
+          expect(@o["status"]).not_to eq(0)
+        end
+        it "要回传错误信息" do
+          expect(@o["message"]).to be_include("图片")
+        end
+      end
+
+      context "文件过大，上传失败" do
+        before do
+          big_file = Rack::Test::UploadedFile.new("#{Rails.root}/spec/fixtures/test.jpg",'image/jpg')
+          allow(ActionDispatch::Http::UploadedFile).to receive(:new).and_return(double('BigFile',size: 10*1024*1024, original_filename: 'rais.jpg', tempfile: nil))
+          # trace = TracePoint.new(:call) do |tp|
+          #   p [tp.lineno, tp.defined_class, tp.method_id, tp.event] if tp.method_id == :post
+          # end
+         resp = post upload_avatar_path(source_type: 'Course', source_id: course.id, format: :json),'avatar[image]'=> big_file
+         @o = ActiveSupport::JSON.decode(resp.body)
+        end
+        it "状态要为0" do
+          expect(@o["status"]).not_to eq(0)
+        end
+        it "要回传错误信息" do
+          expect(@o["message"]).to be_include("大")
+        end
       end
 
-      it "不是图片，上传失败"
     end
   end