Merge pull request #806 from ZmagoD/disable_tiny_mce_asset_unless_step

Fixes bug with embedded images [SCI-1624]
2024-09-20 06:35:56 +08:00 · 2017-12-12 09:53:24 +01:00 · 2017-12-12 09:53:24 +01:00 · 00be4460cc
parent 306ae51a4c 7442684846
commit 00be4460cc
11 changed files with 38 additions and 20 deletions
--- a/app/controllers/result_texts_controller.rb
+++ b/app/controllers/result_texts_controller.rb
@ -34,7 +34,8 @@ class ResultTextsController < ApplicationController
  def create
    @result_text = ResultText.new(result_params[:result_text_attributes])
    # gerate a tag that replaces img tag in database
-    @result_text.text = parse_tiny_mce_asset_to_token(@result_text.text)
+    @result_text.text = parse_tiny_mce_asset_to_token(@result_text.text,
+                                                      @result_text)
    @result = Result.new(
      user: current_user,
      my_module: @my_module,
@ -88,7 +89,8 @@ class ResultTextsController < ApplicationController
  end

  def edit
-    @result_text.text = generate_image_tag_from_token(@result_text.text)
+    @result_text.text = generate_image_tag_from_token(@result_text.text,
+                                                      @result_text)
    respond_to do |format|
      format.json {
        render json: {
--- a/app/controllers/steps_controller.rb
+++ b/app/controllers/steps_controller.rb
@ -30,7 +30,7 @@ class StepsController < ApplicationController
  def create
    @step = Step.new(step_params)
    # gerate a tag that replaces img tag in database
-    @step.description = parse_tiny_mce_asset_to_token(@step.description)
+    @step.description = parse_tiny_mce_asset_to_token(@step.description, @step)
    @step.completed = false
    @step.position = @protocol.number_of_steps
    @step.protocol = @protocol
@ -118,7 +118,7 @@ class StepsController < ApplicationController
  end

  def edit
-    @step.description = generate_image_tag_from_token(@step.description)
+    @step.description = generate_image_tag_from_token(@step.description, @step)
    respond_to do |format|
      format.json do
        render json: {
--- a/app/helpers/tiny_mce_helper.rb
+++ b/app/helpers/tiny_mce_helper.rb
@ -1,29 +1,30 @@
 module TinyMceHelper
-  def parse_tiny_mce_asset_to_token(text, ref = nil)
+  def parse_tiny_mce_asset_to_token(text, obj)
    ids = []
-    html = Nokogiri::HTML(text)
+    html = Nokogiri::HTML(remove_pasted_tokens(text))
    html.search('img').each do |img|
      next unless img['data-token']
      img_id = Base62.decode(img['data-token'])
      ids << img_id
      token = "[~tiny_mce_id:#{img_id}]"
      img.replace(token)
-      next unless ref
+      next unless obj
      tiny_img = TinyMceAsset.find_by_id(img_id)
-      tiny_img.reference = ref unless tiny_img.step || tiny_img.result_text
+      tiny_img.reference = obj unless tiny_img.step || tiny_img.result_text
      tiny_img.save
    end
-    destroy_removed_tiny_mce_assets(ids, ref) if ref
+    destroy_removed_tiny_mce_assets(ids, obj) if obj
    html
  end

-  def generate_image_tag_from_token(text)
+  def generate_image_tag_from_token(text, obj)
    return unless text
-    regex = /\[~tiny_mce_id:([0-9a-zA-Z]+)\]/
+    regex = Constants::TINY_MCE_ASSET_REGEX
    text.gsub(regex) do |el|
      match = el.match(regex)
      img = TinyMceAsset.find_by_id(match[1])
-      next unless img
+      next unless img && img.team == current_team
+      next unless check_image_permissions(obj, img)
      image_tag img.url,
                class: 'img-responsive',
                data: { token: Base62.encode(img.id) }
@ -32,7 +33,7 @@ module TinyMceHelper

  def link_tiny_mce_assets(text, ref)
    ids = []
-    regex = /\[~tiny_mce_id:([0-9a-zA-Z]+)\]/
+    regex = Constants::TINY_MCE_ASSET_REGEX
    text.gsub(regex) do |img|
      match = img.match(regex)
      tiny_img = TinyMceAsset.find_by_id(match[1])
@ -62,4 +63,17 @@ module TinyMceHelper
      ref.tiny_mce_assets.where.not('id IN (?)', ids).destroy_all
    end
  end
+
+  def check_image_permissions(obj, img)
+    if obj.class == Step
+      img.step == obj
+    elsif obj.class == ResultText
+      img.result_text == obj
+    end
+  end
+
+  def remove_pasted_tokens(text)
+    regex = Constants::TINY_MCE_ASSET_REGEX
+    text.gsub(regex, ' ')
+  end
 end
--- a/app/utilities/protocols_exporter.rb
+++ b/app/utilities/protocols_exporter.rb
@ -41,7 +41,7 @@ module ProtocolsExporter

  def get_tiny_mce_assets(text)
    return unless text
-    regex = /\[~tiny_mce_id:([0-9a-zA-Z]+)\]/
+    regex = Constants::TINY_MCE_ASSET_REGEX
    tiny_assets_xml = "<descriptionAssets>\n"
    text.gsub(regex) do |el|
      match = el.match(regex)
--- a/app/utilities/protocols_importer.rb
+++ b/app/utilities/protocols_importer.rb
@ -170,6 +170,6 @@ module ProtocolsImporter
  # handle import from legacy exports
  def populate_rte_legacy(step_json)
    return unless step_json['description'] && step_json['description'].present?
-    step_json['description'].gsub(/\[~tiny_mce_id:([0-9a-zA-Z]+)\]/, '')
+    step_json['description'].gsub(Constants::TINY_MCE_ASSET_REGEX, '')
  end
 end
--- a/app/views/protocols/index/_protocol_preview_modal_body.html.erb
+++ b/app/views/protocols/index/_protocol_preview_modal_body.html.erb
@ -85,7 +85,7 @@
                    <em><%= t("protocols.steps.no_description") %></em>
                  <% else %>
                    <div class="ql-editor">
-                      <%= sanitize_input(generate_image_tag_from_token(step.description), ['img']) %>
+                      <%= sanitize_input(generate_image_tag_from_token(step.description, step), ['img']) %>
                    </div>
                  <% end %>
                </div>
--- a/app/views/reports/elements/_my_module_result_text_element.html.erb
+++ b/app/views/reports/elements/_my_module_result_text_element.html.erb
@ -23,7 +23,7 @@
  <div class="report-element-body">
    <div class="row">
      <div class="col-xs-12 text-container ql-editor">
-        <%= custom_auto_link(generate_image_tag_from_token(result_text.text),
+        <%= custom_auto_link(generate_image_tag_from_token(result_text.text, result_text),
                             simple_format: false,
                             tags: %w(img)) %>
      </div>
--- a/app/views/reports/elements/_my_module_step_element.html.erb
+++ b/app/views/reports/elements/_my_module_step_element.html.erb
@ -30,7 +30,7 @@
    <div class="row">
      <div class="col-xs-12 ql-editor">
        <% if strip_tags(step.description).present? %>
-          <%= custom_auto_link(generate_image_tag_from_token(step.description),
+          <%= custom_auto_link(generate_image_tag_from_token(step.description, step),
                               simple_format: false,
                               tags: %w(img)) %>
        <% else %>
--- a/app/views/results/_result_text.html.erb
+++ b/app/views/results/_result_text.html.erb
@ -1,5 +1,5 @@
 <div class="ql-editor">
-  <%= custom_auto_link(generate_image_tag_from_token(result.result_text.text),
+  <%= custom_auto_link(generate_image_tag_from_token(result.result_text.text, result.result_text),
                       simple_format: false,
                       tags: %w(img)) %>
 </div>
--- a/app/views/steps/_step.html.erb
+++ b/app/views/steps/_step.html.erb
@ -54,7 +54,7 @@
              <em><%= t('protocols.steps.no_description') %></em>
            <% else %>
              <div class="ql-editor">
-                <%= custom_auto_link(generate_image_tag_from_token(step.description),
+                <%= custom_auto_link(generate_image_tag_from_token(step.description, step),
                                     simple_format: false,
                                     tags: %w(img)) %>
              </div>
--- a/config/initializers/constants.rb
+++ b/config/initializers/constants.rb
@ -864,6 +864,8 @@ class Constants
  # Very basic regex to check for validity of emails
  BASIC_EMAIL_REGEX = URI::MailTo::EMAIL_REGEXP

+  TINY_MCE_ASSET_REGEX = /\[~tiny_mce_id:([0-9a-zA-Z]+)\]/
+
  # Team name for default admin user
  DEFAULT_PRIVATE_TEAM_NAME = 'My projects'.freeze