scinote-eln/scinote-web
1
1
Fork 0
mirror of https://github.com/scinote-eln/scinote-web.git synced 2025-09-04 20:25:22 +08:00
Code Issues Projects Releases Packages Wiki Activity

Improve write permissions checking in WOPI controller, update Tika to 2.9.4 [SCI-11898] (#8481)

Browse source
This commit is contained in:
Alex Kriuchykhin 2025-05-06 10:58:03 +02:00 committed by GitHub
parent 5ef36d6769
commit 67b4e2bd99
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 9 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
Dockerfile
View file

@ -1,7 +1,7 @@
FROM ruby:3.2-bookworm
MAINTAINER SciNote <info@scinote.net>
ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.3/tika-app-2.9.3.jar"
ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.4/tika-app-2.9.4.jar"
ENV TIKA_PATH=/usr/local/bin/tika-app.jar
# additional dependecies

2
Dockerfile.production
View file

@ -45,7 +45,7 @@ RUN \
FROM ruby:3.2-bookworm AS runner
MAINTAINER SciNote <info@scinote.net>
ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.3/tika-app-2.9.3.jar"
ARG TIKA_DIST_URL="https://dlcdn.apache.org/tika/2.9.4/tika-app-2.9.4.jar"
ENV TIKA_PATH=/usr/local/bin/tika-app.jar
RUN rm -f /etc/apt/apt.conf.d/docker-clean; echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache

14
app/controllers/wopi_controller.rb
View file

@ -2,8 +2,8 @@ class WopiController < ActionController::Base
include WopiUtil
skip_before_action :verify_authenticity_token
before_action :load_vars, :authenticate_user_from_token!
before_action :verify_proof!
before_action :load_vars, :authenticate_user_from_token!
# Only used for checkfileinfo
def file_get_endpoint
@ -25,11 +25,11 @@ class WopiController < ActionController::Base
def post_file_endpoint
override = request.headers['X-WOPI-Override']
return render body: nil, status: :unauthorized if !@can_write && %w(LOCK UNLOCK REFRESH_LOCK).include?(override)
case override
when 'GET_LOCK'
get_lock
when 'PUT_RELATIVE'
put_relative
when 'LOCK'
old_lock = request.headers['X-WOPI-OldLock']
if old_lock.nil?
@ -41,7 +41,7 @@ class WopiController < ActionController::Base
unlock
when 'REFRESH_LOCK'
refresh_lock
when 'GET_SHARE_URL'
when 'GET_SHARE_URL', 'PUT_RELATIVE'
render body: nil, status: :not_implemented
else
render body: nil, status: :not_found
@ -51,6 +51,8 @@ class WopiController < ActionController::Base
# Only used for putfile
def file_contents_post_endpoint
logger.warn 'WOPI: post_file_contents called'
return render body: nil, status: :unauthorized unless @can_write
put_file
end
@ -95,10 +97,6 @@ class WopiController < ActionController::Base
render json: msg
end
def put_relative
render body: nil, status: :not_implemented
end
def lock
lock = request.headers['X-WOPI-Lock']
logger.warn 'WOPI: lock; ' + lock.to_s

2
spec/controllers/wopi_controller_spec.rb
View file

@ -17,7 +17,7 @@ describe WopiController, type: :controller do
end
let(:protocol_in_repository) { create :protocol, :in_public_repository, team: team, added_by: user }
let(:protocol_in_repository) { create :protocol, :in_repository_draft, team: team, added_by: user }
let(:step_in_repository) { create :step, protocol: protocol_in_repository, user: user }
let!(:asset) { create :asset }