Remove dowload endpoint from assets controller [SCI-3680]

2025-09-08 14:15:35 +08:00 · 2019-08-07 13:29:04 +02:00 · 2019-08-07 13:29:04 +02:00 · b4f632dba8
commit b4f632dba8
parent d942788581
7 changed files with 9 additions and 21 deletions
--- a/app/controllers/assets_controller.rb
+++ b/app/controllers/assets_controller.rb
@ -13,8 +13,7 @@ class AssetsController < ApplicationController
  include FileIconsHelper

  before_action :load_vars, except: :create_wopi_file
-  # File download permissions are now managed by ActiveStorage controllers
-  before_action :check_read_permission, except: %i(download edit)
+  before_action :check_read_permission, except: :edit
  before_action :check_edit_permission, only: :edit

  def file_preview
@ -23,7 +22,7 @@ class AssetsController < ApplicationController
      'type' => @asset.file.metadata[:asset_type] || (@asset.image? ? 'image' : 'file'),
      'filename' => truncate(escape_input(@asset.file_name),
                             length: Constants::FILENAME_TRUNCATION_LENGTH),
-      'download-url' => download_asset_path(@asset, timestamp: Time.now.to_i)
+      'download-url' => rails_blob_path(@asset.file, disposition: 'attachment')
    }

    can_edit = if @assoc.class == Step
@ -94,14 +93,6 @@ class AssetsController < ApplicationController
    return edit_supported, title
  end

-  def download
-    if !@asset.file.attached?
-      render_404
-    else
-      redirect_to rails_blob_path(@asset.file, disposition: 'attachment')
-    end
-  end
-
  def edit
    action = @asset.file_size.zero? && !@asset.locked? ? 'editnew' : 'edit'
    @action_url = append_wd_params(@asset.get_action_url(current_user, action, false))
--- a/app/controllers/concerns/active_storage/check_blob_permissions.rb
+++ b/app/controllers/concerns/active_storage/check_blob_permissions.rb
@ -21,7 +21,7 @@ module ActiveStorage
      when 'User'
        # No read restrictions for avatars
        true
-      when 'ZipExport'
+      when 'ZipExport', 'TeamZipExport'
        check_zip_export_read_permissions
      else
        render_403
--- a/app/views/my_modules/archive/_result.html.erb
+++ b/app/views/my_modules/archive/_result.html.erb
@ -9,7 +9,7 @@
      <li>
        <% option_text = t("my_modules.module_archive.option_download") %>
        <% if result.is_asset %>
-          <%= link_to t('protocols.index.archive_results.preview'), download_asset_path(result.asset),
+          <%= link_to t('protocols.index.archive_results.preview'), rails_blob_path(result.asset.file, disposition: 'attachment'),
              class: 'file-preview-link',
              id: "modal_link#{result.asset.id}",
              data: { turbolinks: false, id: true, status: 'asset-present', 'preview-url': asset_file_preview_path(result.asset) } %>
--- a/app/views/search/results/partials/_asset_text.html.erb
+++ b/app/views/search/results/partials/_asset_text.html.erb
@ -7,7 +7,7 @@
  <% if can_read_protocol_in_module?(protocol) ||
        can_read_protocol_in_repository?(protocol) %>
    <% asset_read_allowed = true %>
-    <a href="<%= download_asset_path asset %>" target="_blank">
+    <a href="<%= rails_blob_path(asset.file, disposition: 'attachment') %>">
      <%= text %>
    </a>
  <% else %>
@ -16,7 +16,7 @@
 <% elsif asset.result %>
  <% if can_read_experiment?(asset.result.my_module.experiment) %>
    <% asset_read_allowed = true %>
-    <a href="<%= download_asset_path asset %>" target="_blank">
+    <a href="<%= rails_blob_path(asset.file, disposition: 'attachment') %>">
      <%= text %>
    </a>
  <% else %>
@ -25,7 +25,7 @@
 <% elsif asset.repository_asset_value %>
  <% if can_read_team?(asset.repository_asset_value.repository_cell.repository_row.repository.team) %>
    <% asset_read_allowed = true %>
-    <a href="<%= download_asset_path asset %>" target="_blank">
+    <a href="<%= rails_blob_path(asset.file, disposition: 'attachment') %>">
      <%= text %>
    </a>
  <% else %>
--- a/app/views/shared/_asset_link.html.erb
+++ b/app/views/shared/_asset_link.html.erb
@ -1,4 +1,4 @@
-<%= link_to download_asset_path(asset),
+<%= link_to rails_blob_path(asset.file, disposition: 'attachment'),
  class: 'file-preview-link',
  id: "modal_link#{asset.id}",
  data: { no_turbolink: true,
--- a/app/views/steps/attachments/_item.html.erb
+++ b/app/views/steps/attachments/_item.html.erb
@ -1,6 +1,6 @@

 <div class="pseudo-attachment-container" style="order: <%= assets_count - i %>">
-    <%= link_to download_asset_path(asset),
+    <%= link_to rails_blob_path(asset.file, disposition: 'attachment'),
            class: 'file-preview-link',
            id: "modal_link#{asset.id}",
            data: { no_turbolink: true,
--- a/config/routes.rb
+++ b/config/routes.rb
@ -473,8 +473,6 @@ Rails.application.routes.draw do
    get 'result_texts/:id/download' => 'result_texts#download',
      as: :result_text_download
    resources :result_assets, only: [:edit, :update, :destroy]
-    get 'result_assets/:id/download' => 'result_assets#download',
-      as: :result_asset_download
    resources :result_tables, only: [:edit, :update, :destroy]
    get 'result_tables/:id/download' => 'result_tables#download',
      as: :result_table_download
@ -591,7 +589,6 @@ Rails.application.routes.draw do
    get 'files/:id/preview',
        to: 'assets#file_preview',
        as: 'asset_file_preview'
-    get 'files/:id/download', to: 'assets#download', as: 'download_asset'
    get 'files/:id/preview', to: 'assets#preview', as: 'preview_asset'
    get 'files/:id/view', to: 'assets#view', as: 'view_asset'
    get 'files/:id/edit', to: 'assets#edit', as: 'edit_asset'