fix(multi): resolve 14 bugs from second comprehensive review
Build and Deploy / build-and-push (push) Successful in 4m2s
Build and Deploy / build-and-push (push) Successful in 4m2s
Core (solitaire_core): - fix(scoring): apply -15 penalty for Foundation→Tableau moves when take_from_foundation is enabled; update test - fix(solver): is_won() validates full Ace→King suit sequence, not just card count — prevents hint system from emitting invalid paths Engine — animation / layout: - fix(animation): guard CardAnim advance against duration=0 to prevent NaN-poisoned Transform (analogous to CardAnimation's instant-snap path) - fix(card_plugin): align TABLEAU_FAN_FRAC (0.25→0.18) and TABLEAU_FACEDOWN_FAN_FRAC (0.20→0.14) with layout.rs so the initial layout and first dynamic update produce identical fan spacing - fix(layout): update tableau_fan_frac doc comment from 0.25→0.18 Engine — ECS / modal guards: - fix(auto_complete): drive_auto_complete now checks PausedResource so cooldown does not tick while paused (prevents instant-move on unpause) - fix(play_by_seed): handle_open_dialog checks global ModalScrim guard to prevent stacking over an existing modal - fix(win_summary): spawn_win_summary_after_delay checks global ModalScrim guard; collect_session_achievements uses .next() not .last() to avoid draining the new_games stream Engine — message registration: - fix(leaderboard): register InfoToastEvent in LeaderboardPlugin::build so opt-in/opt-out toasts work under MinimalPlugins - fix(replay_playback): register StateChangedEvent in ReplayPlaybackPlugin::build to prevent panic when used standalone Security: - fix(sync_setup): zero password SyncFieldBuffer immediately after spawning auth task — credential must not linger in ECS components Server: - fix(auth): replace MIME contains-chain with exact match for avatar upload; removes illusory starts_with guard and dead ALLOWED_IMAGE_TYPES Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
funman300
@@ -341,8 +341,6 @@ pub async fn get_me(
|
||||
}))
|
||||
}
|
||||
|
||||
/// Allowed MIME types for uploaded avatars.
|
||||
const ALLOWED_IMAGE_TYPES: &[&str] = &["image/jpeg", "image/png", "image/webp", "image/gif"];
|
||||
/// Maximum avatar upload size in bytes (1 MB).
|
||||
const AVATAR_MAX_BYTES: usize = 1024 * 1024;
|
||||
|
||||
@@ -361,23 +359,15 @@ pub async fn upload_avatar(
|
||||
.and_then(|v| v.to_str().ok())
|
||||
.unwrap_or("")
|
||||
.to_string();
|
||||
let ext = if mime.contains("jpeg") || mime.contains("jpg") {
|
||||
"jpg"
|
||||
} else if mime.contains("png") {
|
||||
"png"
|
||||
} else if mime.contains("webp") {
|
||||
"webp"
|
||||
} else if mime.contains("gif") {
|
||||
"gif"
|
||||
} else {
|
||||
return Err(AppError::BadRequest(
|
||||
let ext = match mime.as_str() {
|
||||
"image/jpeg" | "image/jpg" => "jpg",
|
||||
"image/png" => "png",
|
||||
"image/webp" => "webp",
|
||||
"image/gif" => "gif",
|
||||
_ => return Err(AppError::BadRequest(
|
||||
"avatar must be image/jpeg, image/png, image/webp, or image/gif".into(),
|
||||
));
|
||||
)),
|
||||
};
|
||||
|
||||
if !ALLOWED_IMAGE_TYPES.iter().any(|t| mime.starts_with(t)) {
|
||||
return Err(AppError::BadRequest("unsupported image type".into()));
|
||||
}
|
||||
if body.len() > AVATAR_MAX_BYTES {
|
||||
return Err(AppError::BadRequest("avatar must be ≤ 1 MB".into()));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user