Updating permission check for image editing [SCI - 3153, 3159] (#1568)

*Add permission check for assets editing * Add check for image format
2024-12-28 19:24:10 +08:00 · 2019-03-19 13:52:57 +01:00 · 2019-03-19 13:52:57 +01:00 · 6eae12efab
commit 6eae12efab
parent a0a3c4b97f
5 changed files with 31 additions and 10 deletions
--- a/app/assets/javascripts/sitewide/file_preview.js.erb
+++ b/app/assets/javascripts/sitewide/file_preview.js.erb
@ -186,12 +186,17 @@
                .click(function(ev) {
                  ev.stopPropagation();
                }));
-            modal.find('.file-edit-link').off().click(function(ev) {
-              ev.preventDefault();
-              ev.stopPropagation();
-              modal.modal('hide');
-              initImageEditor(data);
-            });
+            if (data['editable']){
+              modal.find('.file-edit-link').css('display','');
+              modal.find('.file-edit-link').off().click(function(ev) {
+                ev.preventDefault();
+                ev.stopPropagation();
+                modal.modal('hide');
+                initImageEditor(data);
+              });
+            }else{
+              modal.find('.file-edit-link').css('display','none');
+            }
          }
        } else {
          modal.find('.file-preview-container').html(data['preview-icon']);
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -50,7 +50,8 @@ class AssetsController < ApplicationController
      'filename' => truncate(@asset.file_file_name,
                             length:
                               Constants::FILENAME_TRUNCATION_LENGTH),
-      'download-url' => download_asset_path(@asset, timestamp: Time.now.to_i)
+      'download-url' => download_asset_path(@asset, timestamp: Time.now.to_i),
+      'editable'     => @asset.editable?(current_user)
    }

    if @asset.is_image?
--- a/app/models/asset.rb
+++ b/app/models/asset.rb
@ -10,8 +10,10 @@ class Asset < ApplicationRecord

  # Paperclip validation
  has_attached_file :file,
-                    styles: { large: [Constants::LARGE_PIC_FORMAT, :jpg],
-                              medium: [Constants::MEDIUM_PIC_FORMAT, :jpg] },
+                    styles: {
+                      large: [Constants::LARGE_PIC_FORMAT, :jpg],
+                      medium: [Constants::MEDIUM_PIC_FORMAT, :jpg]
+                    },
                    convert_options: {
                      medium: '-quality 70 -strip',
                      all: '-background "#d2d2d2" -flatten +matte'
@ -463,6 +465,15 @@ class Asset < ApplicationRecord
    save
  end

+  def editable?(user)
+    objects = %w(step result)
+    my_module = send(objects.find { |object| send(object) }).my_module
+    Canaid::PermissionsHolder.instance.eval(:manage_experiment, user, my_module.experiment) &&
+      !locked? &&
+      %r{^image/#{Regexp.union(Constants::WHITELISTED_IMAGE_TYPES_EDITABLE)}} ===
+        file.content_type
+  end
+
  protected

  # Checks if attachments is an image (in post processing imagemagick will
--- a/app/views/shared/_file_preview_modal.html.erb
+++ b/app/views/shared/_file_preview_modal.html.erb
@ -15,7 +15,7 @@
        <a class="file-download-link" href="#" data-turbolinks="false">
          <p><span class="fas fa-download"></span> <%= t('Download')%></p>
        </a>
-        <a class="file-edit-link" href='#'>
+        <a class="file-edit-link" style="display:none" href='#'>
          <p><span class="fas fa-pencil-alt"></span> <%= t('Edit')%></p>
        </a>
      </div>
--- a/config/initializers/constants.rb
+++ b/config/initializers/constants.rb
@ -219,6 +219,10 @@ class Constants
    'gif', 'jpeg', 'pjpeg', 'png', 'x-png', 'svg+xml', 'bmp', 'tiff'
  ].freeze

+  WHITELISTED_IMAGE_TYPES_EDITABLE = %w(
+    gif jpeg pjpeg png
+  ).freeze
+
  WHITELISTED_TAGS = %w(
    a b strong i em li ul ol h1 del ins h2 h3 h4 h5 h6 br sub sup p code hr div
    span u s blockquote pre col colgroup table thead tbody th tr td