scinote-web/app/controllers/tiny_mce_assets_controller.rb

# frozen_string_literal: true

class TinyMceAssetsController < ApplicationController
  include MarvinJsActions
  include ActiveStorage::SetCurrent

  before_action :load_vars, only: %i(marvinjs_show marvinjs_update download)

  before_action :check_read_permission, only: %i(marvinjs_show marvinjs_update download)
  before_action :check_edit_permission, only: %i(marvinjs_update)

  def create
    status = :ok
    response_json = { images: [] }

    ActiveRecord::Base.transaction do
      images_params.each_with_index do |image, _i|
        unless image.content_type.match?(%r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}})
          status = :unprocessable_entity
          response_json = { errors: I18n.t('tiny_mce.unsupported_image_format') }
        end

        if image.size > Rails.configuration.x.file_max_size_mb.megabytes
          status = :unprocessable_entity
          response_json = { errors: t('general.file.size_exceeded', file_size: Rails.configuration.x.file_max_size_mb) }
        end

        raise ActiveRecord::Rollback if response_json[:errors]

        tiny_img = TinyMceAsset.new(team_id: current_team.id, saved: false)

        tiny_img.save!
        tiny_img.image.attach(io: image, filename: image.original_filename)
        response_json[:images] << { url: url_for(tiny_img.image), token: Base62.encode(tiny_img.id) }
      end
    rescue ActiveRecord::RecordInvalid => e
      response_json = { errors: e.message }
      status = :unprocessable_entity

      raise ActiveRecord::Rollback
    end

    render json: response_json, status: status
  end

  def download
    if @asset&.image&.attached?
      redirect_to rails_blob_path(@asset.image, disposition: 'attachment')
    else
      render_404
    end
  end

  def marvinjs_show
    asset = current_team.tiny_mce_assets.find_by(id: Base62.decode(params[:id]))
    return render_404 unless asset

    create_edit_marvinjs_activity(asset, current_user, :start_editing) if params[:show_action] == 'start_edit'

    render json: {
      name: asset.image.metadata[:name],
      description: asset.image.metadata[:description]
    }
  end

  def marvinjs_create
    result = MarvinJsService.create_sketch(marvin_params, current_user, current_team)
    if result[:asset]
      render json: {
        image: {
          url: rails_representation_url(result[:asset].preview),
          token: Base62.encode(result[:asset].id),
          source_type: result[:asset].image.metadata[:asset_type]
        }
      }, content_type: 'text/html'
    else
      render json: result[:asset].errors, status: :unprocessable_entity
    end
  end

  def marvinjs_update
    asset = MarvinJsService.update_sketch(marvin_params, current_user, current_team)
    if asset
      create_edit_marvinjs_activity(asset, current_user, :finish_editing)
      render json: { url: rails_representation_url(asset.preview), id: asset.id }
    else
      render json: { error: t('marvinjs.no_sketches_found') }, status: :unprocessable_entity
    end
  end

  private

  def load_vars
    @asset = current_team.tiny_mce_assets.find_by(id: Base62.decode(params[:id]))
    return render_404 unless @asset

    @assoc = @asset.object

    if @assoc.class == Step
      @protocol = @assoc.protocol
    elsif @assoc.class == Protocol
      @protocol = @assoc
    elsif @assoc.class == MyModule
      @my_module = @assoc
    elsif @assoc.class == ResultText
      @my_module = @assoc.result.my_module
    end
  end

  def check_read_permission
    if @assoc.class == Step || @assoc.class == Protocol
      return render_403 unless can_read_protocol_in_module?(@protocol) ||
                               can_read_protocol_in_repository?(@protocol)
    elsif @assoc.class == ResultText || @assoc.class == MyModule
      return render_403 unless can_read_experiment?(@my_module.experiment)
    elsif @assoc.nil?
      return render_403 unless current_team == @asset.team
    else
      render_403
    end
  end

  def check_edit_permission
    if @assoc.class == Step || @assoc.class == Protocol
      return render_403 unless can_manage_protocol_in_module?(@protocol) ||
                               can_manage_protocol_in_repository?(@protocol)
    elsif @assoc.class == ResultText || @assoc.class == MyModule
      return render_403 unless can_manage_my_module?(@my_module)
    elsif @assoc.nil?
      return render_403 unless current_team == @asset.team
    else
      render_403
    end
  end

  def marvin_params
    params.permit(:id, :description, :object_id, :object_type, :name, :image)
  end

  def images_params
    params.require(:files)
  end
end
refactoring tinymce image uploading 2019-03-11 20:43:50 +08:00			`# frozen_string_literal: true`

add tiny_mce controller 2017-04-19 15:13:16 +08:00			`class TinyMceAssetsController < ApplicationController`
Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00			`include MarvinJsActions`
Improve handling of file links for local storage [SCI-4071] 2019-11-19 22:35:31 +08:00			`include ActiveStorage::SetCurrent`
Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00
Security fixes 2019-07-19 20:10:38 +08:00			`before_action :load_vars, only: %i(marvinjs_show marvinjs_update download)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00
Security fixes 2019-07-19 20:10:38 +08:00			`before_action :check_read_permission, only: %i(marvinjs_show marvinjs_update download)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`before_action :check_edit_permission, only: %i(marvinjs_update)`

add tiny_mce controller 2017-04-19 15:13:16 +08:00			`def create`
Support multiple file upload in TinyMCE fields 2020-09-29 00:10:01 +08:00			`status = :ok`
			`response_json = { images: [] }`

			`ActiveRecord::Base.transaction do`
			`images_params.each_with_index do \|image, _i\|`
			`unless image.content_type.match?(%r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES)}})`
			`status = :unprocessable_entity`
			`response_json = { errors: I18n.t('tiny_mce.unsupported_image_format') }`
			`end`

			`if image.size > Rails.configuration.x.file_max_size_mb.megabytes`
			`status = :unprocessable_entity`
			`response_json = { errors: t('general.file.size_exceeded', file_size: Rails.configuration.x.file_max_size_mb) }`
			`end`

			`raise ActiveRecord::Rollback if response_json[:errors]`

			`tiny_img = TinyMceAsset.new(team_id: current_team.id, saved: false)`

			`tiny_img.save!`
			`tiny_img.image.attach(io: image, filename: image.original_filename)`
			`response_json[:images] << { url: url_for(tiny_img.image), token: Base62.encode(tiny_img.id) }`
			`end`
Refactor rescue block 2020-10-29 16:12:12 +08:00			`rescue ActiveRecord::RecordInvalid => e`
			`response_json = { errors: e.message }`
			`status = :unprocessable_entity`

			`raise ActiveRecord::Rollback`
Restrict files to only images in RTE fields [SCI-4146] 2019-12-16 23:05:40 +08:00			`end`

Support multiple file upload in TinyMCE fields 2020-09-29 00:10:01 +08:00			`render json: response_json, status: status`
add tiny_mce controller 2017-04-19 15:13:16 +08:00			`end`
Add MarvinJS assets to TinyMCE 2019-07-16 19:40:54 +08:00
			`def download`
Security fixes 2019-07-19 20:10:38 +08:00			`if @asset&.image&.attached?`
			`redirect_to rails_blob_path(@asset.image, disposition: 'attachment')`
Add MarvinJS assets to TinyMCE 2019-07-16 19:40:54 +08:00			`else`
			`render_404`
			`end`
			`end`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00
			`def marvinjs_show`
Support multiple file upload in TinyMCE fields 2020-09-29 00:10:01 +08:00			`asset = current_team.tiny_mce_assets.find_by(id: Base62.decode(params[:id]))`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`return render_404 unless asset`

Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00			`create_edit_marvinjs_activity(asset, current_user, :start_editing) if params[:show_action] == 'start_edit'`

Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`render json: {`
			`name: asset.image.metadata[:name],`
			`description: asset.image.metadata[:description]`
			`}`
			`end`

			`def marvinjs_create`
Security fixes 2019-07-19 20:10:38 +08:00			`result = MarvinJsService.create_sketch(marvin_params, current_user, current_team)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`if result[:asset]`
			`render json: {`
			`image: {`
			`url: rails_representation_url(result[:asset].preview),`
			`token: Base62.encode(result[:asset].id),`
			`source_type: result[:asset].image.metadata[:asset_type]`
			`}`
			`}, content_type: 'text/html'`
			`else`
			`render json: result[:asset].errors, status: :unprocessable_entity`
			`end`
			`end`

			`def marvinjs_update`
Security fixes 2019-07-19 20:10:38 +08:00			`asset = MarvinJsService.update_sketch(marvin_params, current_user, current_team)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`if asset`
Add activities for marvinJS [SCI-3630] (#1950) * Add marvinJs activities to step and results * Add activities for TinyMCE marvinJS assets * Fix markup 2019-08-09 15:47:07 +08:00			`create_edit_marvinjs_activity(asset, current_user, :finish_editing)`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`render json: { url: rails_representation_url(asset.preview), id: asset.id }`
			`else`
			`render json: { error: t('marvinjs.no_sketches_found') }, status: :unprocessable_entity`
			`end`
			`end`

			`private`

			`def load_vars`
Support multiple file upload in TinyMCE fields 2020-09-29 00:10:01 +08:00			`@asset = current_team.tiny_mce_assets.find_by(id: Base62.decode(params[:id]))`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`return render_404 unless @asset`

Security fixes 2019-07-19 20:10:38 +08:00			`@assoc = @asset.object`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00
			`if @assoc.class == Step`
			`@protocol = @assoc.protocol`
			`elsif @assoc.class == Protocol`
			`@protocol = @assoc`
			`elsif @assoc.class == MyModule`
			`@my_module = @assoc`
Security fixes 2019-07-19 20:10:38 +08:00			`elsif @assoc.class == ResultText`
			`@my_module = @assoc.result.my_module`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`end`
			`end`

			`def check_read_permission`
			`if @assoc.class == Step \|\| @assoc.class == Protocol`
Security fixes 2019-07-19 20:10:38 +08:00			`return render_403 unless can_read_protocol_in_module?(@protocol) \|\|`
			`can_read_protocol_in_repository?(@protocol)`
			`elsif @assoc.class == ResultText \|\| @assoc.class == MyModule`
			`return render_403 unless can_read_experiment?(@my_module.experiment)`
Add custom context menu to TinyMCE images [SCI-3582] (#1944) * Add custom context menu to TinyMCE images * Fix permission check for unsaved objects * Fix markup 2019-08-07 16:28:42 +08:00			`elsif @assoc.nil?`
			`return render_403 unless current_team == @asset.team`
Security fixes 2019-07-19 20:10:38 +08:00			`else`
			`render_403`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`end`
			`end`

			`def check_edit_permission`
			`if @assoc.class == Step \|\| @assoc.class == Protocol`
Security fixes 2019-07-19 20:10:38 +08:00			`return render_403 unless can_manage_protocol_in_module?(@protocol) \|\|`
			`can_manage_protocol_in_repository?(@protocol)`
			`elsif @assoc.class == ResultText \|\| @assoc.class == MyModule`
Reworked MyModule permissions [SCI-6056] 2021-09-14 17:08:35 +08:00			`return render_403 unless can_manage_my_module?(@my_module)`
Add custom context menu to TinyMCE images [SCI-3582] (#1944) * Add custom context menu to TinyMCE images * Fix permission check for unsaved objects * Fix markup 2019-08-07 16:28:42 +08:00			`elsif @assoc.nil?`
			`return render_403 unless current_team == @asset.team`
Security fixes 2019-07-19 20:10:38 +08:00			`else`
			`render_403`
Move TinyMCE logic to correspond controller 2019-07-16 21:51:44 +08:00			`end`
			`end`

			`def marvin_params`
			`params.permit(:id, :description, :object_id, :object_type, :name, :image)`
			`end`
Support multiple file upload in TinyMCE fields 2020-09-29 00:10:01 +08:00
			`def images_params`
			`params.require(:files)`
			`end`
add tiny_mce controller 2017-04-19 15:13:16 +08:00			`end`