From a699ebdbcc11051b9473a88788cf8efdde659975 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Mon, 11 Feb 2013 21:31:19 +0200 Subject: [PATCH 1/3] handle attahcment with send_file --- app/controllers/files_controller.rb | 8 ++++++++ app/uploaders/attachment_uploader.rb | 4 ++++ app/views/events/event/_note.html.haml | 2 +- app/views/notes/_note.html.haml | 2 +- config/routes.rb | 5 +++++ 5 files changed, 19 insertions(+), 2 deletions(-) create mode 100644 app/controllers/files_controller.rb diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb new file mode 100644 index 00000000..f13a543c --- /dev/null +++ b/app/controllers/files_controller.rb @@ -0,0 +1,8 @@ +class FilesController < ApplicationController + def download + uploader = Note.find(params[:id]).attachment + uploader.retrieve_from_store!(params[:filename]) + send_file uploader.file.path, disposition: 'attachment' + end +end + diff --git a/app/uploaders/attachment_uploader.rb b/app/uploaders/attachment_uploader.rb index 3dbf2860..3dd2117e 100644 --- a/app/uploaders/attachment_uploader.rb +++ b/app/uploaders/attachment_uploader.rb @@ -19,4 +19,8 @@ class AttachmentUploader < CarrierWave::Uploader::Base rescue false end + + def secure_url + "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}" + end end diff --git a/app/views/events/event/_note.html.haml b/app/views/events/event/_note.html.haml index 20c3b927..19665ce0 100644 --- a/app/views/events/event/_note.html.haml +++ b/app/views/events/event/_note.html.haml @@ -26,7 +26,7 @@ = markdown truncate(event.target.note, length: 70) - note = event.target - if note.attachment.url - = link_to note.attachment.url, target: "_blank", class: 'note-file-attach' do + = link_to note.attachment.secure_url, target: "_blank", class: 'note-file-attach' do - if note.attachment.image? = image_tag note.attachment.url, class: 'note-image-attach' - else diff --git a/app/views/notes/_note.html.haml b/app/views/notes/_note.html.haml index 4d3007a0..b355e2a0 100644 --- a/app/views/notes/_note.html.haml +++ b/app/views/notes/_note.html.haml @@ -31,7 +31,7 @@ - if note.attachment.image? = image_tag note.attachment.url, class: 'note-image-attach' .attachment.pull-right - = link_to note.attachment.url, target: "_blank" do + = link_to note.attachment.secure_url, target: "_blank" do %i.icon-paper-clip = note.attachment_identifier .clear diff --git a/config/routes.rb b/config/routes.rb index 47c8a412..d717e735 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -45,6 +45,11 @@ Gitlab::Application.routes.draw do root to: "projects#index" end + # + # Attachments serving + # + get 'files/:type/:id/:filename' => 'files#download', constraints: { id: /\d+/, type: /[a-z]+/, filename: /[a-zA-Z.0-9_\-\+]+/ } + # # Admin Area # From 4821aa6c251a1a2eb4f1fac7bf0f2897a435b48b Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 15 Feb 2013 09:49:35 +0200 Subject: [PATCH 2/3] skip protection to aws3 --- app/controllers/files_controller.rb | 1 - app/uploaders/attachment_uploader.rb | 6 +++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb index f13a543c..09f1e551 100644 --- a/app/controllers/files_controller.rb +++ b/app/controllers/files_controller.rb @@ -1,7 +1,6 @@ class FilesController < ApplicationController def download uploader = Note.find(params[:id]).attachment - uploader.retrieve_from_store!(params[:filename]) send_file uploader.file.path, disposition: 'attachment' end end diff --git a/app/uploaders/attachment_uploader.rb b/app/uploaders/attachment_uploader.rb index 3dd2117e..200700b8 100644 --- a/app/uploaders/attachment_uploader.rb +++ b/app/uploaders/attachment_uploader.rb @@ -21,6 +21,10 @@ class AttachmentUploader < CarrierWave::Uploader::Base end def secure_url - "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}" + if self.class.storage == CarrierWave::Storage::File + "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}" + else + url + end end end From f6cc71bc36283223a10f3004121be34f06547d94 Mon Sep 17 00:00:00 2001 From: Dmitriy Zaporozhets Date: Fri, 15 Feb 2013 09:51:21 +0200 Subject: [PATCH 3/3] Per project protection --- app/controllers/files_controller.rb | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb index 09f1e551..3cd2e773 100644 --- a/app/controllers/files_controller.rb +++ b/app/controllers/files_controller.rb @@ -1,7 +1,13 @@ class FilesController < ApplicationController def download - uploader = Note.find(params[:id]).attachment - send_file uploader.file.path, disposition: 'attachment' + note = Note.find(params[:id]) + + if can?(current_user, :read_project, note.project) + uploader = note.attachment + send_file uploader.file.path, disposition: 'attachment' + else + not_found! + end end end