2019-08-01 19:17:24 +08:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
|
|
module ActiveStorage
|
|
|
|
|
module CheckBlobPermissions
|
|
|
|
|
extend ActiveSupport::Concern
|
|
|
|
|
|
|
|
|
|
included do
|
|
|
|
|
before_action :check_read_permissions
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
private
|
|
|
|
|
|
|
|
|
|
def check_read_permissions
|
2021-04-14 18:18:35 +08:00
|
|
|
return render_404 if @blob.attachments.blank?
|
2021-02-18 20:55:03 +08:00
|
|
|
|
2021-04-14 18:18:35 +08:00
|
|
|
@blob.attachments.any? { |attachment| check_attachment_read_permissions(attachment) }
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
def check_attachment_read_permissions(attachment)
|
2021-02-18 20:55:03 +08:00
|
|
|
case attachment.record_type
|
2019-08-01 19:17:24 +08:00
|
|
|
when 'Asset'
|
2021-04-14 18:18:35 +08:00
|
|
|
check_asset_read_permissions(attachment.record)
|
2019-08-01 19:17:24 +08:00
|
|
|
when 'TinyMceAsset'
|
2021-04-14 18:18:35 +08:00
|
|
|
check_tinymce_asset_read_permissions(attachment.record)
|
2019-08-01 19:17:24 +08:00
|
|
|
when 'Experiment'
|
2021-04-14 18:18:35 +08:00
|
|
|
check_experiment_read_permissions(attachment.record)
|
2021-04-06 19:56:24 +08:00
|
|
|
when 'Report'
|
2021-04-14 18:18:35 +08:00
|
|
|
check_report_read_permissions(attachment.record)
|
2019-08-01 19:17:24 +08:00
|
|
|
when 'User'
|
|
|
|
|
# No read restrictions for avatars
|
|
|
|
|
true
|
2019-08-07 19:29:04 +08:00
|
|
|
when 'ZipExport', 'TeamZipExport'
|
2021-04-14 18:18:35 +08:00
|
|
|
check_zip_export_read_permissions(attachment.record)
|
2019-08-01 19:17:24 +08:00
|
|
|
else
|
|
|
|
|
render_403
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-04-14 18:18:35 +08:00
|
|
|
def check_asset_read_permissions(asset)
|
2019-08-01 19:17:24 +08:00
|
|
|
return render_403 unless asset
|
|
|
|
|
|
|
|
|
|
if asset.step
|
|
|
|
|
protocol = asset.step.protocol
|
|
|
|
|
render_403 unless can_read_protocol_in_module?(protocol) || can_read_protocol_in_repository?(protocol)
|
|
|
|
|
elsif asset.result
|
|
|
|
|
experiment = asset.result.my_module.experiment
|
|
|
|
|
render_403 unless can_read_experiment?(experiment)
|
|
|
|
|
elsif asset.repository_cell
|
|
|
|
|
repository = asset.repository_cell.repository_column.repository
|
2020-03-12 18:52:46 +08:00
|
|
|
render_403 unless can_read_repository?(repository)
|
2019-08-01 19:17:24 +08:00
|
|
|
else
|
|
|
|
|
render_403
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-04-14 18:18:35 +08:00
|
|
|
def check_tinymce_asset_read_permissions(asset)
|
2019-08-01 19:17:24 +08:00
|
|
|
return render_403 unless asset
|
2019-08-13 17:04:19 +08:00
|
|
|
return true if asset.object.nil? && asset.team == current_team
|
2019-08-01 19:17:24 +08:00
|
|
|
|
|
|
|
|
case asset.object_type
|
|
|
|
|
when 'MyModule'
|
|
|
|
|
render_403 unless can_read_experiment?(asset.object.experiment)
|
|
|
|
|
when 'Protocol'
|
|
|
|
|
render_403 unless can_read_protocol_in_module?(asset.object) ||
|
|
|
|
|
can_read_protocol_in_repository?(asset.object)
|
|
|
|
|
when 'ResultText'
|
|
|
|
|
render_403 unless can_read_experiment?(asset.object.result.my_module.experiment)
|
|
|
|
|
when 'Step'
|
|
|
|
|
render_403 unless can_read_protocol_in_module?(asset.object.protocol) ||
|
|
|
|
|
can_read_protocol_in_repository?(asset.object.protocol)
|
|
|
|
|
else
|
|
|
|
|
render_403
|
|
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
|
2021-04-14 18:18:35 +08:00
|
|
|
def check_experiment_read_permissions(experiment)
|
|
|
|
|
render_403 && return unless can_read_experiment?(experiment)
|
2019-08-01 19:17:24 +08:00
|
|
|
end
|
|
|
|
|
|
2021-04-14 18:18:35 +08:00
|
|
|
def check_report_read_permissions(report)
|
|
|
|
|
render_403 && return unless can_read_project?(report.project)
|
2021-04-06 19:56:24 +08:00
|
|
|
end
|
|
|
|
|
|
2021-04-14 18:18:35 +08:00
|
|
|
def check_zip_export_read_permissions(zip_export)
|
|
|
|
|
render_403 unless zip_export.user == current_user
|
2019-08-01 19:17:24 +08:00
|
|
|
end
|
|
|
|
|
end
|
|
|
|
|
end
|
