trabajo-afectivo/app/controllers/attachments_controller.rb

# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/

class AttachmentsController < ApplicationController
  prepend_before_action :authentication_check, except: %i[show destroy]
  prepend_before_action :authentication_check_only, only: %i[show destroy]
  before_action :verify_object_permissions, only: %i[show destroy]

  def show
    content   = @file.content_preview if params[:preview] && @file.preferences[:content_preview]
    content ||= @file.content

    send_data(
      content,
      filename:    @file.filename,
      type:        @file.preferences['Content-Type'] || @file.preferences['Mime-Type'] || 'application/octet-stream',
      disposition: sanitized_disposition
    )
  end

  def create
    file = params[:File]
    content_type = file.content_type

    if !content_type || content_type == 'application/octet-stream'
      content_type = if MIME::Types.type_for(file.original_filename).first
                       MIME::Types.type_for(file.original_filename).first.content_type
                     else
                       'application/octet-stream'
                     end
    end

    headers_store = {
      'Content-Type' => content_type
    }

    store = Store.add(
      object:      'UploadCache',
      o_id:        params[:form_id],
      data:        file.read,
      filename:    file.original_filename,
      preferences: headers_store
    )

    render json: {
      success: true,
      data:    {
        id:       store.id,
        filename: file.original_filename,
        size:     store.size,
      }
    }
  end

  def destroy
    Store.remove_item(@file.id)

    render json: {
      success: true,
    }
  end

  def destroy_form
    Store.remove(
      object: 'UploadCache',
      o_id:   params[:form_id],
    )

    render json: {
      success: true,
    }
  end

  private

  def sanitized_disposition
    disposition = params.fetch(:disposition, 'inline')
    valid_disposition = %w[inline attachment]
    return disposition if valid_disposition.include?(disposition)

    raise Exceptions::Forbidden, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."
  end

  def verify_object_permissions
    @file = Store.find(params[:id])

    klass = @file&.store_object&.name&.safe_constantize
    return if klass.send("can_#{params[:action]}_attachment?", @file, current_user)

    raise ActiveRecord::RecordNotFound
  end
end
Maintenance: Update copyright information and add a new rubocop cop to watch over it. 2021-06-01 12:20:20 +00:00			`# Copyright (C) 2012-2021 Zammad Foundation, http://zammad-foundation.org/`

Initial knowledge base support. 2019-06-04 03:40:48 +00:00			`class AttachmentsController < ApplicationController`
Fixes #2777: Knowledge Base - Attachments not working for internal readers. 2019-11-12 14:08:00 +00:00			`prepend_before_action :authentication_check, except: %i[show destroy]`
			`prepend_before_action :authentication_check_only, only: %i[show destroy]`
Initial knowledge base support. 2019-06-04 03:40:48 +00:00			`before_action :verify_object_permissions, only: %i[show destroy]`

			`def show`
			`content = @file.content_preview if params[:preview] && @file.preferences[:content_preview]`
			`content \|\|= @file.content`

			`send_data(`
			`content,`
			`filename: @file.filename,`
			`type: @file.preferences['Content-Type'] \|\| @file.preferences['Mime-Type'] \|\| 'application/octet-stream',`
			`disposition: sanitized_disposition`
			`)`
			`end`

			`def create`
			`file = params[:File]`
			`content_type = file.content_type`

			`if !content_type \|\| content_type == 'application/octet-stream'`
			`content_type = if MIME::Types.type_for(file.original_filename).first`
			`MIME::Types.type_for(file.original_filename).first.content_type`
			`else`
			`'application/octet-stream'`
			`end`
			`end`

			`headers_store = {`
			`'Content-Type' => content_type`
			`}`

			`store = Store.add(`
			`object: 'UploadCache',`
			`o_id: params[:form_id],`
			`data: file.read,`
			`filename: file.original_filename,`
			`preferences: headers_store`
			`)`

			`render json: {`
			`success: true,`
			`data: {`
			`id: store.id,`
			`filename: file.original_filename,`
			`size: store.size,`
			`}`
			`}`
			`end`

			`def destroy`
			`Store.remove_item(@file.id)`

			`render json: {`
			`success: true,`
			`}`
			`end`

			`def destroy_form`
			`Store.remove(`
			`object: 'UploadCache',`
			`o_id: params[:form_id],`
			`)`

			`render json: {`
			`success: true,`
			`}`
			`end`

			`private`

			`def sanitized_disposition`
			`disposition = params.fetch(:disposition, 'inline')`
			`valid_disposition = %w[inline attachment]`
			`return disposition if valid_disposition.include?(disposition)`

Fixes issue #2983 - HTTP 401 responses causing issues with Basic Authentication. 2021-02-04 08:28:41 +00:00			`raise Exceptions::Forbidden, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid."`
Initial knowledge base support. 2019-06-04 03:40:48 +00:00			`end`

			`def verify_object_permissions`
			`@file = Store.find(params[:id])`

			`klass = @file&.store_object&.name&.safe_constantize`
			`return if klass.send("can_#{params[:action]}_attachment?", @file, current_user)`

			`raise ActiveRecord::RecordNotFound`
			`end`
			`end`