From a699ebdbcc11051b9473a88788cf8efdde659975 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Mon, 11 Feb 2013 21:31:19 +0200
Subject: [PATCH 1/3] handle attahcment with send_file

---
 app/controllers/files_controller.rb    | 8 ++++++++
 app/uploaders/attachment_uploader.rb   | 4 ++++
 app/views/events/event/_note.html.haml | 2 +-
 app/views/notes/_note.html.haml        | 2 +-
 config/routes.rb                       | 5 +++++
 5 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 app/controllers/files_controller.rb

diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
new file mode 100644
index 00000000..f13a543c
--- /dev/null
+++ b/app/controllers/files_controller.rb
@@ -0,0 +1,8 @@
+class FilesController < ApplicationController
+  def download
+    uploader = Note.find(params[:id]).attachment
+    uploader.retrieve_from_store!(params[:filename])
+    send_file uploader.file.path, disposition: 'attachment'
+  end
+end
+
diff --git a/app/uploaders/attachment_uploader.rb b/app/uploaders/attachment_uploader.rb
index 3dbf2860..3dd2117e 100644
--- a/app/uploaders/attachment_uploader.rb
+++ b/app/uploaders/attachment_uploader.rb
@@ -19,4 +19,8 @@ class AttachmentUploader < CarrierWave::Uploader::Base
   rescue
     false
   end
+
+  def secure_url
+    "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}"
+  end
 end
diff --git a/app/views/events/event/_note.html.haml b/app/views/events/event/_note.html.haml
index 20c3b927..19665ce0 100644
--- a/app/views/events/event/_note.html.haml
+++ b/app/views/events/event/_note.html.haml
@@ -26,7 +26,7 @@
     = markdown truncate(event.target.note, length: 70)
     - note = event.target
     - if note.attachment.url
-      = link_to note.attachment.url, target: "_blank", class: 'note-file-attach' do
+      = link_to note.attachment.secure_url, target: "_blank", class: 'note-file-attach' do
         - if note.attachment.image?
           = image_tag note.attachment.url, class: 'note-image-attach'
         - else
diff --git a/app/views/notes/_note.html.haml b/app/views/notes/_note.html.haml
index 4d3007a0..b355e2a0 100644
--- a/app/views/notes/_note.html.haml
+++ b/app/views/notes/_note.html.haml
@@ -31,7 +31,7 @@
     - if note.attachment.image?
       = image_tag note.attachment.url, class: 'note-image-attach'
     .attachment.pull-right
-      = link_to note.attachment.url, target: "_blank" do
+      = link_to note.attachment.secure_url, target: "_blank" do
         %i.icon-paper-clip
         = note.attachment_identifier
   .clear
diff --git a/config/routes.rb b/config/routes.rb
index 47c8a412..d717e735 100644
--- a/config/routes.rb
+++ b/config/routes.rb
@@ -45,6 +45,11 @@ Gitlab::Application.routes.draw do
     root to: "projects#index"
   end
 
+  #
+  # Attachments serving
+  #
+  get 'files/:type/:id/:filename' => 'files#download', constraints: { id: /\d+/, type: /[a-z]+/, filename: /[a-zA-Z.0-9_\-\+]+/ }
+
   #
   # Admin Area
   #

From 4821aa6c251a1a2eb4f1fac7bf0f2897a435b48b Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Fri, 15 Feb 2013 09:49:35 +0200
Subject: [PATCH 2/3] skip protection to aws3

---
 app/controllers/files_controller.rb  | 1 -
 app/uploaders/attachment_uploader.rb | 6 +++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
index f13a543c..09f1e551 100644
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@@ -1,7 +1,6 @@
 class FilesController < ApplicationController
   def download
     uploader = Note.find(params[:id]).attachment
-    uploader.retrieve_from_store!(params[:filename])
     send_file uploader.file.path, disposition: 'attachment'
   end
 end
diff --git a/app/uploaders/attachment_uploader.rb b/app/uploaders/attachment_uploader.rb
index 3dd2117e..200700b8 100644
--- a/app/uploaders/attachment_uploader.rb
+++ b/app/uploaders/attachment_uploader.rb
@@ -21,6 +21,10 @@ class AttachmentUploader < CarrierWave::Uploader::Base
   end
 
   def secure_url
-    "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}"
+    if self.class.storage == CarrierWave::Storage::File
+      "/files/#{model.class.to_s.underscore}/#{model.id}/#{file.filename}"
+    else
+      url
+    end
   end
 end

From f6cc71bc36283223a10f3004121be34f06547d94 Mon Sep 17 00:00:00 2001
From: Dmitriy Zaporozhets <dmitriy.zaporozhets@gmail.com>
Date: Fri, 15 Feb 2013 09:51:21 +0200
Subject: [PATCH 3/3] Per project protection

---
 app/controllers/files_controller.rb | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/app/controllers/files_controller.rb b/app/controllers/files_controller.rb
index 09f1e551..3cd2e773 100644
--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
@@ -1,7 +1,13 @@
 class FilesController < ApplicationController
   def download
-    uploader = Note.find(params[:id]).attachment
-    send_file uploader.file.path, disposition: 'attachment'
+    note = Note.find(params[:id])
+
+    if can?(current_user, :read_project, note.project)
+      uploader = note.attachment
+      send_file uploader.file.path, disposition: 'attachment'
+    else
+      not_found!
+    end
   end
 end