From 3a6ad52ac8ab24c2c60edebd2eb32fb1f2e50d4a Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@designcreateplay.com>
Date: Tue, 9 Feb 2016 09:45:11 -0500
Subject: [PATCH] closes #4164

---
 src/file.js         |  2 +-
 src/groups/cover.js | 11 +++++++++--
 src/user/picture.js |  7 ++++++-
 3 files changed, 16 insertions(+), 4 deletions(-)

diff --git a/src/file.js b/src/file.js
index 1c1cab7781..7fe5aa8f06 100644
--- a/src/file.js
+++ b/src/file.js
@@ -52,7 +52,7 @@ file.base64ToLocal = function(imageData, uploadPath, callback) {
 file.isFileTypeAllowed = function(path, callback) {
 	// Attempt to read the file, if it passes, file type is allowed
 	jimp.read(path, function(err) {
-		callback(err);
+		callback(err, path);
 	});
 };
 
diff --git a/src/groups/cover.js b/src/groups/cover.js
index f26350e09d..492138e75a 100644
--- a/src/groups/cover.js
+++ b/src/groups/cover.js
@@ -9,6 +9,7 @@ var Jimp = require('jimp');
 
 
 var db = require('../database');
+var file = require('../file');
 var uploadsController = require('../controllers/uploads');
 
 module.exports = function(Groups) {
@@ -38,7 +39,11 @@ module.exports = function(Groups) {
 				writeImageDataToFile(data.imageData, next);
 			},
 			function (_tempPath, next) {
-				tempPath = _tempPath;
+				tempPath = _tempPath;	// set in local var so it can be deleted if file type invalid
+				next(null, tempPath);
+			},
+			async.apply(file.isFileTypeAllowed),
+			function (_tempPath, next) {
 				uploadsController.uploadGroupCover(uid, {
 					name: 'groupCover',
 					path: tempPath
@@ -65,7 +70,9 @@ module.exports = function(Groups) {
 			}
 		], function (err) {
 			if (err) {
-				return callback(err);
+				return fs.unlink(tempPath, function(unlinkErr) {
+					callback(err);	// send back original error
+				});
 			}
 
 			if (data.position) {
diff --git a/src/user/picture.js b/src/user/picture.js
index 2d72d265d8..d1d065a9be 100644
--- a/src/user/picture.js
+++ b/src/user/picture.js
@@ -168,6 +168,9 @@ module.exports = function(User) {
 				}, next);
 			},
 			function(next) {
+				file.isFileTypeAllowed(tempPath, next);
+			},
+			function(tempPath, next) {
 				var image = {
 					name: 'profileCover',
 					path: data.file ? data.file.path : tempPath,
@@ -204,7 +207,9 @@ module.exports = function(User) {
 			}
 		], function(err) {
 			if (err) {
-				return callback(err);
+				return fs.unlink(tempPath, function(unlinkErr) {
+					callback(err);	// send back the original error
+				});
 			}
 
 			if (data.position) {