scinote-web/app/controllers/concerns/active_storage/check_blob_permissions.rb

# frozen_string_literal: true

module ActiveStorage
  module CheckBlobPermissions
    extend ActiveSupport::Concern

    included do
      before_action :check_read_permissions
    end

    private

    def check_read_permissions
      attachment = @blob.attachments.take
      return render_404 if attachment.blank?

      case attachment.record_type
      when 'Asset'
        check_asset_read_permissions
      when 'TinyMceAsset'
        check_tinymce_asset_read_permissions
      when 'Experiment'
        check_experiment_read_permissions
      when 'User'
        # No read restrictions for avatars
        true
      when 'ZipExport', 'TeamZipExport'
        check_zip_export_read_permissions
      else
        render_403
      end
    end

    def check_asset_read_permissions
      asset = @blob.attachments.first.record
      return render_403 unless asset

      if asset.step
        protocol = asset.step.protocol
        render_403 unless can_read_protocol_in_module?(protocol) || can_read_protocol_in_repository?(protocol)
      elsif asset.result
        experiment = asset.result.my_module.experiment
        render_403 unless can_read_experiment?(experiment)
      elsif asset.repository_cell
        repository = asset.repository_cell.repository_column.repository
        render_403 unless can_read_repository?(repository)
      else
        render_403
      end
    end

    def check_tinymce_asset_read_permissions
      asset = @blob.attachments.first.record
      return render_403 unless asset
      return true if asset.object.nil? && asset.team == current_team

      case asset.object_type
      when 'MyModule'
        render_403 unless can_read_experiment?(asset.object.experiment)
      when 'Protocol'
        render_403 unless can_read_protocol_in_module?(asset.object) ||
                          can_read_protocol_in_repository?(asset.object)
      when 'ResultText'
        render_403 unless can_read_experiment?(asset.object.result.my_module.experiment)
      when 'Step'
        render_403 unless can_read_protocol_in_module?(asset.object.protocol) ||
                          can_read_protocol_in_repository?(asset.object.protocol)
      else
        render_403
      end
    end

    def check_experiment_read_permissions
      render_403 && return unless can_read_experiment?(@blob.attachments.first.record)
    end

    def check_zip_export_read_permissions
      render_403 unless @blob.attachments.first.record.user == current_user
    end
  end
end
Implement read permissions checks for ActiveStorage controllers [SCI-3680] 2019-08-01 19:17:24 +08:00			`# frozen_string_literal: true`

			`module ActiveStorage`
			`module CheckBlobPermissions`
			`extend ActiveSupport::Concern`

			`included do`
			`before_action :check_read_permissions`
			`end`

			`private`

			`def check_read_permissions`
Multiple small bugfixes [SCI-5494] 2021-02-18 20:55:03 +08:00			`attachment = @blob.attachments.take`
			`return render_404 if attachment.blank?`

			`case attachment.record_type`
Implement read permissions checks for ActiveStorage controllers [SCI-3680] 2019-08-01 19:17:24 +08:00			`when 'Asset'`
			`check_asset_read_permissions`
			`when 'TinyMceAsset'`
			`check_tinymce_asset_read_permissions`
			`when 'Experiment'`
			`check_experiment_read_permissions`
			`when 'User'`
			`# No read restrictions for avatars`
			`true`
Remove dowload endpoint from assets controller [SCI-3680] 2019-08-07 19:29:04 +08:00			`when 'ZipExport', 'TeamZipExport'`
Implement read permissions checks for ActiveStorage controllers [SCI-3680] 2019-08-01 19:17:24 +08:00			`check_zip_export_read_permissions`
			`else`
			`render_403`
			`end`
			`end`

			`def check_asset_read_permissions`
			`asset = @blob.attachments.first.record`
			`return render_403 unless asset`

			`if asset.step`
			`protocol = asset.step.protocol`
			`render_403 unless can_read_protocol_in_module?(protocol) \|\| can_read_protocol_in_repository?(protocol)`
			`elsif asset.result`
			`experiment = asset.result.my_module.experiment`
			`render_403 unless can_read_experiment?(experiment)`
			`elsif asset.repository_cell`
			`repository = asset.repository_cell.repository_column.repository`
Fix file view permission check in inventories [SCI-4440] 2020-03-12 18:52:46 +08:00			`render_403 unless can_read_repository?(repository)`
Implement read permissions checks for ActiveStorage controllers [SCI-3680] 2019-08-01 19:17:24 +08:00			`else`
			`render_403`
			`end`
			`end`

			`def check_tinymce_asset_read_permissions`
			`asset = @blob.attachments.first.record`
			`return render_403 unless asset`
Replace marvinJS logo and fix some merge issues [SCI-3731] (#1976) * Replace marvinJS logo and fix some merge issues * Fix tests 2019-08-13 17:04:19 +08:00			`return true if asset.object.nil? && asset.team == current_team`
Implement read permissions checks for ActiveStorage controllers [SCI-3680] 2019-08-01 19:17:24 +08:00
			`case asset.object_type`
			`when 'MyModule'`
			`render_403 unless can_read_experiment?(asset.object.experiment)`
			`when 'Protocol'`
			`render_403 unless can_read_protocol_in_module?(asset.object) \|\|`
			`can_read_protocol_in_repository?(asset.object)`
			`when 'ResultText'`
			`render_403 unless can_read_experiment?(asset.object.result.my_module.experiment)`
			`when 'Step'`
			`render_403 unless can_read_protocol_in_module?(asset.object.protocol) \|\|`
			`can_read_protocol_in_repository?(asset.object.protocol)`
			`else`
			`render_403`
			`end`
			`end`

			`def check_experiment_read_permissions`
			`render_403 && return unless can_read_experiment?(@blob.attachments.first.record)`
			`end`

			`def check_zip_export_read_permissions`
			`render_403 unless @blob.attachments.first.record.user == current_user`
			`end`
			`end`
			`end`