scinote-web/app/controllers/assets_controller.rb

class AssetsController < ApplicationController
  include WopiUtil

  before_action :load_vars, except: :signature
  before_action :check_read_permission, except: [:signature, :file_present]
  before_action :check_edit_permission, only: :edit

  # Validates asset and then generates S3 upload posts, because
  # otherwise untracked files could be uploaded to S3
  def signature
    respond_to do |format|
      format.json {
        asset = Asset.new(asset_params)
        if asset.valid?
          posts = generate_upload_posts asset
          render json: {
            posts: posts
          }
        else
          render json: {
            status: 'error',
            errors: asset.errors
          }, status: :bad_request
        end
      }
    end
  end

  def file_present
    respond_to do |format|
      format.json {
        if @asset.file_present
          # Only if file is present,
          # check_read_permission
          check_read_permission

          # If check_read_permission already rendered error,
          # stop execution
          if performed? then
            return
          end

          # If check permission passes, return :ok
          render json: {}, status: 200
        else
          render json: {}, status: 404
        end
      }
    end
  end

  def preview
    if @asset.is_image?
      redirect_to @asset.url(:medium), status: 307
    else
      render_400
    end
  end

  def download
    if !@asset.file_present
      render_404 and return
    elsif @asset.file.is_stored_on_s3?
      redirect_to @asset.presigned_url(download: true), status: 307
    else
      send_file @asset.file.path, filename: URI.unescape(@asset.file_file_name),
        type: @asset.file_content_type
    end
  end

  def edit
    @action_url = append_wd_params(@asset
                                   .get_action_url(current_user, 'edit', false))
    @favicon_url = @asset.favicon_url('edit')
    tkn = current_user.get_wopi_token
    @token = tkn.token
    @ttl = (tkn.ttl * 1000).to_s
    create_wopi_file_activity(current_user, true)

    render layout: false
  end

  def view
    @action_url = append_wd_params(@asset
                                   .get_action_url(current_user, 'view', false))
    @favicon_url = @asset.favicon_url('view')
    tkn = current_user.get_wopi_token
    @token = tkn.token
    @ttl = (tkn.ttl * 1000).to_s

    render layout: false
  end

  private

  def load_vars
    @asset = Asset.find_by_id(params[:id])
    render_404 unless @asset

    step_assoc = @asset.step
    result_assoc = @asset.result
    @assoc = step_assoc unless step_assoc.nil?
    @assoc = result_assoc unless result_assoc.nil?

    if @assoc.class == Step
      @protocol = @asset.step.protocol
    else
      @my_module = @assoc.my_module
    end
  end

  def check_read_permission
    if @assoc.class == Step
      unless can_view_or_download_step_assets(@protocol)
        render_403 and return
      end
    elsif @assoc.class == Result
      unless can_view_or_download_result_assets(@my_module)
        render_403 and return
      end
    end
  end

  def check_edit_permission
    if @assoc.class == Step
      unless can_edit_step_in_protocol(@protocol)
        render_403 and return
      end
    elsif @assoc.class == Result
      unless can_edit_result_asset_in_module(@my_module)
        render_403 and return
      end
    end
  end

  def generate_upload_posts(asset)
    posts = []
    s3_post = S3_BUCKET.presigned_post(
      key: asset.file.path[1..-1],
      success_action_status: '201',
      acl: 'private',
      storage_class: "STANDARD",
      content_length_range: 1..Constants::FILE_MAX_SIZE_MB.megabytes,
      content_type: asset.file_content_type
    )
    posts.push({
      url: s3_post.url,
      fields: s3_post.fields
    })

    condition = %r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}}

    if condition === asset.file_content_type
      asset.file.options[:styles].each do |style, option|
        s3_post = S3_BUCKET.presigned_post(
          key: asset.file.path(style)[1..-1],
          success_action_status: '201',
          acl: 'public-read',
          storage_class: "REDUCED_REDUNDANCY",
          content_length_range: 1..Constants::FILE_MAX_SIZE_MB.megabytes,
          content_type: asset.file_content_type
        )
        posts.push({
          url: s3_post.url,
          fields: s3_post.fields,
          style_option: option,
          mime_type: asset.file_content_type
        })
      end
    end

    posts
  end

  def append_wd_params(url)
    wd_params = ''
    params.keys.select { |i| i[/^wd.*/] }.each do |wd|
      next if wd == 'wdPreviousSession' || wd == 'wdPreviousCorrelation'
      wd_params += "&#{wd}=#{params[wd]}"
    end
    url + wd_params
  end

  def asset_params
    params.permit(
      :file
    )
  end
end
Initial commit. 2016-02-12 23:52:43 +08:00			`class AssetsController < ApplicationController`
Add wopi file activity SCI-393 #close 2016-09-29 21:30:55 +08:00			`include WopiUtil`

code refactor 2016-12-21 23:52:15 +08:00			`before_action :load_vars, except: :signature`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`before_action :check_read_permission, except: [:signature, :file_present]`
code refactor 2016-12-21 23:52:15 +08:00			`before_action :check_edit_permission, only: :edit`
Initial commit. 2016-02-12 23:52:43 +08:00
Multiple files upload handling and user experience improved. Spinner now also prevents user from accidentally leaving page. 2016-08-09 20:39:24 +08:00			`# Validates asset and then generates S3 upload posts, because`
			`# otherwise untracked files could be uploaded to S3`
Initial commit. 2016-02-12 23:52:43 +08:00			`def signature`
			`respond_to do \|format\|`
			`format.json {`
Added deleting of files on S3 server when editing/removing a file. Some refactoring. 2016-08-17 15:44:53 +08:00			`asset = Asset.new(asset_params)`
Replaced hardcoded values with unified constants. Minor refactoring. Also front-end error handling was updated accordingly. [fixes SCI-408] 2016-09-16 17:39:37 +08:00			`if asset.valid?`
Initial commit. 2016-02-12 23:52:43 +08:00			`posts = generate_upload_posts asset`
			`render json: {`
			`posts: posts`
			`}`
Replaced hardcoded values with unified constants. Minor refactoring. Also front-end error handling was updated accordingly. [fixes SCI-408] 2016-09-16 17:39:37 +08:00			`else`
			`render json: {`
			`status: 'error',`
			`errors: asset.errors`
			`}, status: :bad_request`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`
			`}`
			`end`
			`end`

Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`def file_present`
			`respond_to do \|format\|`
			`format.json {`
			`if @asset.file_present`
			`# Only if file is present,`
			`# check_read_permission`
			`check_read_permission`

			`# If check_read_permission already rendered error,`
			`# stop execution`
			`if performed? then`
			`return`
			`end`

			`# If check permission passes, return :ok`
			`render json: {}, status: 200`
			`else`
			`render json: {}, status: 404`
			`end`
			`}`
			`end`
			`end`

Initial commit. 2016-02-12 23:52:43 +08:00			`def preview`
			`if @asset.is_image?`
URL presigning is now used only when using S3 file uploading (caused error for local uploading) [fixes SCI-447], along with some refactoring. 2016-09-14 00:42:17 +08:00			`redirect_to @asset.url(:medium), status: 307`
Initial commit. 2016-02-12 23:52:43 +08:00			`else`
			`render_400`
			`end`
			`end`

			`def download`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`if !@asset.file_present`
			`render_404 and return`
			`elsif @asset.file.is_stored_on_s3?`
File permissions corrected, with some refactoring. 2016-08-17 21:51:04 +08:00			`redirect_to @asset.presigned_url(download: true), status: 307`
Initial commit. 2016-02-12 23:52:43 +08:00			`else`
Special characters caused error [fixes SCI-315]. 2016-08-09 23:08:47 +08:00			`send_file @asset.file.path, filename: URI.unescape(@asset.file_file_name),`
Initial commit. 2016-02-12 23:52:43 +08:00			`type: @asset.file_content_type`
			`end`
			`end`

First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`def edit`
Add wd* params to iframe action url 2016-10-05 00:00:08 +08:00			`@action_url = append_wd_params(@asset`
			`.get_action_url(current_user, 'edit', false))`
Add favicon url to iframe 2016-09-29 18:19:29 +08:00			`@favicon_url = @asset.favicon_url('edit')`
Users can now have multiple tokens A new token is generated whenever an edit or view file is called. Tokens have a TTL of one day. Also enabled the toggling of both wopi and wopi test mode, using environmental variables. 2016-11-30 23:48:42 +08:00			`tkn = current_user.get_wopi_token`
			`@token = tkn.token`
			`@ttl = (tkn.ttl * 1000).to_s`
Add wopi file activity SCI-393 #close 2016-09-29 21:30:55 +08:00			`create_wopi_file_activity(current_user, true)`
Remove navbar for viewing WOPI files 2016-10-04 02:02:13 +08:00
			`render layout: false`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`

			`def view`
Add wd* params to iframe action url 2016-10-05 00:00:08 +08:00			`@action_url = append_wd_params(@asset`
			`.get_action_url(current_user, 'view', false))`
Add favicon url to iframe 2016-09-29 18:19:29 +08:00			`@favicon_url = @asset.favicon_url('view')`
Users can now have multiple tokens A new token is generated whenever an edit or view file is called. Tokens have a TTL of one day. Also enabled the toggling of both wopi and wopi test mode, using environmental variables. 2016-11-30 23:48:42 +08:00			`tkn = current_user.get_wopi_token`
			`@token = tkn.token`
			`@ttl = (tkn.ttl * 1000).to_s`
Remove navbar for viewing WOPI files 2016-10-04 02:02:13 +08:00
			`render layout: false`
First working version of office integration Only works on scinote-preview 2016-08-10 23:49:25 +08:00			`end`

Initial commit. 2016-02-12 23:52:43 +08:00			`private`

			`def load_vars`
			`@asset = Asset.find_by_id(params[:id])`
Refactor the rest of WOPI logic from Nejc 2016-09-23 17:42:12 +08:00			`render_404 unless @asset`
Initial commit. 2016-02-12 23:52:43 +08:00
			`step_assoc = @asset.step`
			`result_assoc = @asset.result`
Refactor the rest of WOPI logic from Nejc 2016-09-23 17:42:12 +08:00			`@assoc = step_assoc unless step_assoc.nil?`
			`@assoc = result_assoc unless result_assoc.nil?`
Initial commit. 2016-02-12 23:52:43 +08:00
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`if @assoc.class == Step`
			`@protocol = @asset.step.protocol`
			`else`
			`@my_module = @assoc.my_module`
			`end`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`

			`def check_read_permission`
			`if @assoc.class == Step`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`unless can_view_or_download_step_assets(@protocol)`
			`render_403 and return`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`
			`elsif @assoc.class == Result`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`unless can_view_or_download_result_assets(@my_module)`
			`render_403 and return`
Initial commit. 2016-02-12 23:52:43 +08:00			`end`
			`end`
			`end`

Add check file permissions to assets controller SCI-502 #close 2016-09-28 00:14:19 +08:00			`def check_edit_permission`
			`if @assoc.class == Step`
			`unless can_edit_step_in_protocol(@protocol)`
			`render_403 and return`
			`end`
			`elsif @assoc.class == Result`
			`unless can_edit_result_asset_in_module(@my_module)`
			`render_403 and return`
			`end`
			`end`
			`end`

Initial commit. 2016-02-12 23:52:43 +08:00			`def generate_upload_posts(asset)`
			`posts = []`
			`s3_post = S3_BUCKET.presigned_post(`
			`key: asset.file.path[1..-1],`
			`success_action_status: '201',`
			`acl: 'private',`
			`storage_class: "STANDARD",`
Ruby constants are now automatically available in JS. Refactoring was needed. 2016-10-05 23:45:20 +08:00			`content_length_range: 1..Constants::FILE_MAX_SIZE_MB.megabytes,`
Initial commit. 2016-02-12 23:52:43 +08:00			`content_type: asset.file_content_type`
			`)`
			`posts.push({`
			`url: s3_post.url,`
			`fields: s3_post.fields`
			`})`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00
Improve regexp for image whitelisting [SCI-736] 2016-11-28 17:08:54 +08:00			`condition = %r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}}`

			`if condition === asset.file_content_type`
Initial commit. 2016-02-12 23:52:43 +08:00			`asset.file.options[:styles].each do \|style, option\|`
			`s3_post = S3_BUCKET.presigned_post(`
			`key: asset.file.path(style)[1..-1],`
			`success_action_status: '201',`
			`acl: 'public-read',`
			`storage_class: "REDUCED_REDUNDANCY",`
Ruby constants are now automatically available in JS. Refactoring was needed. 2016-10-05 23:45:20 +08:00			`content_length_range: 1..Constants::FILE_MAX_SIZE_MB.megabytes,`
Initial commit. 2016-02-12 23:52:43 +08:00			`content_type: asset.file_content_type`
			`)`
			`posts.push({`
			`url: s3_post.url,`
			`fields: s3_post.fields,`
			`style_option: option,`
			`mime_type: asset.file_content_type`
			`})`
			`end`
			`end`

			`posts`
			`end`

Add wd* params to iframe action url 2016-10-05 00:00:08 +08:00			`def append_wd_params(url)`
			`wd_params = ''`
			`params.keys.select { \|i\| i[/^wd.*/] }.each do \|wd\|`
			`next if wd == 'wdPreviousSession' \|\| wd == 'wdPreviousCorrelation'`
			`wd_params += "&#{wd}=#{params[wd]}"`
			`end`
			`url + wd_params`
			`end`

A lot of file uploading edge cases considered. File uploading is now actually redirected to S3 server, as before was not. Error functions changed and error output format specified, which should be used consistently throughout the application. Some other refactoring. 2016-08-05 23:00:29 +08:00			`def asset_params`
			`params.permit(`
			`:file`
			`)`
			`end`
Migration GitLab -> GitHub 2016-07-21 19:11:15 +08:00			`end`