scinote-web/app/controllers/tiny_mce_assets_controller.rb

# frozen_string_literal: true

class TinyMceAssetsController < ApplicationController
  include MarvinJsActions
  include ActiveStorage::SetCurrent

  before_action :load_vars, only: %i(marvinjs_show marvinjs_update download)

  before_action :check_read_permission, only: %i(marvinjs_show marvinjs_update download)
  before_action :check_edit_permission, only: %i(marvinjs_update)

  def create
    image = params.fetch(:file) { render_404 }
    unless image.content_type.match?(%r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}})
      return render json: {
        errors: [I18n.t('tiny_mce.unsupported_image_format')]
      }, status: :unprocessable_entity
    end

    tiny_img = TinyMceAsset.new(team_id: current_team.id, saved: false)

    tiny_img.transaction do
      tiny_img.save!
      tiny_img.image.attach(io: image, filename: image.original_filename)
    end

    if tiny_img.persisted?
      render json: {
        image: {
          url: url_for(tiny_img.image),
          token: Base62.encode(tiny_img.id)
        }
      }, content_type: 'text/html'
    else
      render json: {
        errors: tiny_img.errors.full_messages
      }, status: :unprocessable_entity
    end
  end

  def download
    if @asset&.image&.attached?
      redirect_to rails_blob_path(@asset.image, disposition: 'attachment')
    else
      render_404
    end
  end

  def marvinjs_show
    asset = current_team.tiny_mce_assets.find_by_id(Base62.decode(params[:id]))
    return render_404 unless asset

    create_edit_marvinjs_activity(asset, current_user, :start_editing) if params[:show_action] == 'start_edit'

    render json: {
      name: asset.image.metadata[:name],
      description: asset.image.metadata[:description]
    }
  end

  def marvinjs_create
    result = MarvinJsService.create_sketch(marvin_params, current_user, current_team)
    if result[:asset]
      render json: {
        image: {
          url: rails_representation_url(result[:asset].preview),
          token: Base62.encode(result[:asset].id),
          source_type: result[:asset].image.metadata[:asset_type]
        }
      }, content_type: 'text/html'
    else
      render json: result[:asset].errors, status: :unprocessable_entity
    end
  end

  def marvinjs_update
    asset = MarvinJsService.update_sketch(marvin_params, current_user, current_team)
    if asset
      create_edit_marvinjs_activity(asset, current_user, :finish_editing)
      render json: { url: rails_representation_url(asset.preview), id: asset.id }
    else
      render json: { error: t('marvinjs.no_sketches_found') }, status: :unprocessable_entity
    end
  end

  private

  def load_vars
    @asset = current_team.tiny_mce_assets.find_by_id(Base62.decode(params[:id]))
    return render_404 unless @asset

    @assoc = @asset.object

    if @assoc.class == Step
      @protocol = @assoc.protocol
    elsif @assoc.class == Protocol
      @protocol = @assoc
    elsif @assoc.class == MyModule
      @my_module = @assoc
    elsif @assoc.class == ResultText
      @my_module = @assoc.result.my_module
    end
  end

  def check_read_permission
    if @assoc.class == Step || @assoc.class == Protocol
      return render_403 unless can_read_protocol_in_module?(@protocol) ||
                               can_read_protocol_in_repository?(@protocol)
    elsif @assoc.class == ResultText || @assoc.class == MyModule
      return render_403 unless can_read_experiment?(@my_module.experiment)
    elsif @assoc.nil?
      return render_403 unless current_team == @asset.team
    else
      render_403
    end
  end

  def check_edit_permission
    if @assoc.class == Step || @assoc.class == Protocol
      return render_403 unless can_manage_protocol_in_module?(@protocol) ||
                               can_manage_protocol_in_repository?(@protocol)
    elsif @assoc.class == ResultText || @assoc.class == MyModule
      return render_403 unless can_manage_module?(@my_module)
    elsif @assoc.nil?
      return render_403 unless current_team == @asset.team
    else
      render_403
    end
  end

  def marvin_params
    params.permit(:id, :description, :object_id, :object_type, :name, :image)
  end
end
refactoring tinymce image uploading 2019-03-11 20:43:50 +08:00			`# frozen_string_literal: true`

add tiny_mce controller 2017-04-19 15:13:16 +08:00			`class TinyMceAssetsController < ApplicationController`
Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00			`include MarvinJsActions`
Improve handling of file links for local storage [SCI-4071] 2019-11-19 22:35:31 +08:00			`include ActiveStorage::SetCurrent`
Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00
Security fixes 2019-07-19 20:10:38 +08:00			`before_action :load_vars, only: %i(marvinjs_show marvinjs_update download)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00
Security fixes 2019-07-19 20:10:38 +08:00			`before_action :check_read_permission, only: %i(marvinjs_show marvinjs_update download)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`before_action :check_edit_permission, only: %i(marvinjs_update)`

add tiny_mce controller 2017-04-19 15:13:16 +08:00			`def create`
working version for steps first run 2017-04-21 22:09:04 +08:00			`image = params.fetch(:file) { render_404 }`
Restrict files to only images in RTE fields [SCI-4146] 2019-12-16 23:05:40 +08:00			`unless image.content_type.match?(%r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}})`
			`return render json: {`
			`errors: [I18n.t('tiny_mce.unsupported_image_format')]`
			`}, status: :unprocessable_entity`
			`end`

Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`tiny_img = TinyMceAsset.new(team_id: current_team.id, saved: false)`

			`tiny_img.transaction do`
			`tiny_img.save!`
			`tiny_img.image.attach(io: image, filename: image.original_filename)`
			`end`

			`if tiny_img.persisted?`
working version for steps first run 2017-04-21 22:09:04 +08:00			`render json: {`
refactor, fix user annotation bug 2017-04-24 22:22:25 +08:00			`image: {`
Refactor TinyMce assets, user avatars, zip files [SCI-3539] 2019-07-05 22:56:05 +08:00			`url: url_for(tiny_img.image),`
refactor, fix user annotation bug 2017-04-24 22:22:25 +08:00			`token: Base62.encode(tiny_img.id)`
			`}`
working version for steps first run 2017-04-21 22:09:04 +08:00			`}, content_type: 'text/html'`
			`else`
refactor, fix user annotation bug 2017-04-24 22:22:25 +08:00			`render json: {`
Restrict files to only images in RTE fields [SCI-4146] 2019-12-16 23:05:40 +08:00			`errors: tiny_img.errors.full_messages`
refactor, fix user annotation bug 2017-04-24 22:22:25 +08:00			`}, status: :unprocessable_entity`
working version for steps first run 2017-04-21 22:09:04 +08:00			`end`
add tiny_mce controller 2017-04-19 15:13:16 +08:00			`end`
Add MarvinJS assets to TinyMCE 2019-07-16 19:40:54 +08:00
			`def download`
Security fixes 2019-07-19 20:10:38 +08:00			`if @asset&.image&.attached?`
			`redirect_to rails_blob_path(@asset.image, disposition: 'attachment')`
Add MarvinJS assets to TinyMCE 2019-07-16 19:40:54 +08:00			`else`
			`render_404`
			`end`
			`end`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00
			`def marvinjs_show`
Simplify TinyMCE assets for MarvinJS 2019-07-19 15:27:03 +08:00			`asset = current_team.tiny_mce_assets.find_by_id(Base62.decode(params[:id]))`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`return render_404 unless asset`

Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00			`create_edit_marvinjs_activity(asset, current_user, :start_editing) if params[:show_action] == 'start_edit'`

Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`render json: {`
			`name: asset.image.metadata[:name],`
			`description: asset.image.metadata[:description]`
			`}`
			`end`

			`def marvinjs_create`
Security fixes 2019-07-19 20:10:38 +08:00			`result = MarvinJsService.create_sketch(marvin_params, current_user, current_team)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`if result[:asset]`
			`render json: {`
			`image: {`
			`url: rails_representation_url(result[:asset].preview),`
			`token: Base62.encode(result[:asset].id),`
			`source_type: result[:asset].image.metadata[:asset_type]`
			`}`
			`}, content_type: 'text/html'`
			`else`
			`render json: result[:asset].errors, status: :unprocessable_entity`
			`end`
			`end`

			`def marvinjs_update`
Security fixes 2019-07-19 20:10:38 +08:00			`asset = MarvinJsService.update_sketch(marvin_params, current_user, current_team)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`if asset`
Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00			`create_edit_marvinjs_activity(asset, current_user, :finish_editing)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`render json: { url: rails_representation_url(asset.preview), id: asset.id }`
			`else`
			`render json: { error: t('marvinjs.no_sketches_found') }, status: :unprocessable_entity`
			`end`
			`end`

			`private`

			`def load_vars`
Simplify TinyMCE assets for MarvinJS 2019-07-19 15:27:03 +08:00			`@asset = current_team.tiny_mce_assets.find_by_id(Base62.decode(params[:id]))`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`return render_404 unless @asset`

Security fixes 2019-07-19 20:10:38 +08:00			`@assoc = @asset.object`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00
			`if @assoc.class == Step`
			`@protocol = @assoc.protocol`
			`elsif @assoc.class == Protocol`
			`@protocol = @assoc`
			`elsif @assoc.class == MyModule`
			`@my_module = @assoc`
Security fixes 2019-07-19 20:10:38 +08:00			`elsif @assoc.class == ResultText`
			`@my_module = @assoc.result.my_module`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`end`
			`end`

			`def check_read_permission`
			`if @assoc.class == Step \|\| @assoc.class == Protocol`
Security fixes 2019-07-19 20:10:38 +08:00			`return render_403 unless can_read_protocol_in_module?(@protocol) \|\|`
			`can_read_protocol_in_repository?(@protocol)`
			`elsif @assoc.class == ResultText \|\| @assoc.class == MyModule`
			`return render_403 unless can_read_experiment?(@my_module.experiment)`
Add custom context menu to TinyMCE images [SCI-3582] (#1944) * Add custom context menu to TinyMCE images * Fix permission check for unsaved objects * Fix markup 2019-08-07 16:28:42 +08:00			`elsif @assoc.nil?`
			`return render_403 unless current_team == @asset.team`
Security fixes 2019-07-19 20:10:38 +08:00			`else`
			`render_403`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`end`
			`end`

			`def check_edit_permission`
			`if @assoc.class == Step \|\| @assoc.class == Protocol`
Security fixes 2019-07-19 20:10:38 +08:00			`return render_403 unless can_manage_protocol_in_module?(@protocol) \|\|`
			`can_manage_protocol_in_repository?(@protocol)`
			`elsif @assoc.class == ResultText \|\| @assoc.class == MyModule`
			`return render_403 unless can_manage_module?(@my_module)`
Add custom context menu to TinyMCE images [SCI-3582] (#1944) * Add custom context menu to TinyMCE images * Fix permission check for unsaved objects * Fix markup 2019-08-07 16:28:42 +08:00			`elsif @assoc.nil?`
			`return render_403 unless current_team == @asset.team`
Security fixes 2019-07-19 20:10:38 +08:00			`else`
			`render_403`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`end`
			`end`

			`def marvin_params`
			`params.permit(:id, :description, :object_id, :object_type, :name, :image)`
			`end`
add tiny_mce controller 2017-04-19 15:13:16 +08:00			`end`