Unify hashing for avatar (#22289)

- Unify the hashing code for repository and user avatars into a function. - Use a sane hash function instead of MD5. - Only require hashing once instead of twice(w.r.t. hashing for user avatar). - Improve the comment for the hashing code of why it works. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Yarden Shoham <hrsi88@gmail.com>
2023-01-02 22:46:39 +01:00 · 2023-01-02 22:46:39 +01:00 · 96797fed31
commit 96797fed31
parent fcd6ceef2b
4 changed files with 32 additions and 11 deletions
--- a/services/repository/avatar.go
+++ b/services/repository/avatar.go
@ -5,7 +5,6 @@ package repository

 import (
 	"context"
-	"crypto/md5"
 	"fmt"
 	"image/png"
 	"io"
@ -27,7 +26,7 @@ func UploadAvatar(repo *repo_model.Repository, data []byte) error {
 		return err
 	}

-	newAvatar := fmt.Sprintf("%d-%x", repo.ID, md5.Sum(data))
+	newAvatar := avatar.HashAvatar(repo.ID, data)
 	if repo.Avatar == newAvatar { // upload the same picture
 		return nil
 	}
--- a/services/repository/avatar_test.go
+++ b/services/repository/avatar_test.go
@ -5,14 +5,13 @@ package repository

 import (
 	"bytes"
-	"crypto/md5"
-	"fmt"
 	"image"
 	"image/png"
 	"testing"

 	repo_model "code.gitea.io/gitea/models/repo"
 	"code.gitea.io/gitea/models/unittest"
+	"code.gitea.io/gitea/modules/avatar"

 	"github.com/stretchr/testify/assert"
 )
@ -28,7 +27,7 @@ func TestUploadAvatar(t *testing.T) {

 	err := UploadAvatar(repo, buff.Bytes())
 	assert.NoError(t, err)
-	assert.Equal(t, fmt.Sprintf("%d-%x", 10, md5.Sum(buff.Bytes())), repo.Avatar)
+	assert.Equal(t, avatar.HashAvatar(10, buff.Bytes()), repo.Avatar)
 }

 func TestUploadBigAvatar(t *testing.T) {
--- a/services/user/user.go
+++ b/services/user/user.go
@ -5,7 +5,6 @@ package user

 import (
 	"context"
-	"crypto/md5"
 	"fmt"
 	"image/png"
 	"io"
@ -241,11 +240,7 @@ func UploadAvatar(u *user_model.User, data []byte) error {
 	defer committer.Close()

 	u.UseCustomAvatar = true
-	// Different users can upload same image as avatar
-	// If we prefix it with u.ID, it will be separated
-	// Otherwise, if any of the users delete his avatar
-	// Other users will lose their avatars too.
-	u.Avatar = fmt.Sprintf("%x", md5.Sum([]byte(fmt.Sprintf("%d-%x", u.ID, md5.Sum(data)))))
+	u.Avatar = avatar.HashAvatar(u.ID, data)
 	if err = user_model.UpdateUserCols(ctx, u, "use_custom_avatar", "avatar"); err != nil {
 		return fmt.Errorf("updateUser: %w", err)
 	}