Fix permissions checking for active storage blobs belonging to different teams [SCI-9918] (#6871)

2025-10-01 01:14:30 +08:00 · 2024-01-03 17:09:15 +01:00 · 2024-01-03 17:09:15 +01:00 · dd312062d3
commit dd312062d3
parent 4fd6ecf112
2 changed files with 21 additions and 38 deletions
--- a/app/controllers/concerns/active_storage/check_blob_permissions.rb
+++ b/app/controllers/concerns/active_storage/check_blob_permissions.rb
@ -13,11 +13,13 @@ module ActiveStorage
    def check_read_permissions
      return render_404 if @blob.attachments.blank?

-      @blob.attachments.any? { |attachment| check_attachment_read_permissions(attachment) }
+      render_403 unless @blob.attachments.any? { |attachment| check_attachment_read_permissions(attachment) }
    end

    def check_attachment_read_permissions(attachment)
-      current_user.permission_team = attachment.record.team || current_team if attachment.record.respond_to?(:team)
+      current_user.permission_team = attachment.record.team if attachment.record.respond_to?(:team)
+
+      return false if attachment.record.blank?

      case attachment.record_type
      when 'Asset'
@ -25,73 +27,52 @@ module ActiveStorage
      when 'TinyMceAsset'
        check_tinymce_asset_read_permissions(attachment.record)
      when 'Experiment'
-        check_experiment_read_permissions(attachment.record)
+        can_read_experiment?(attachment.record)
      when 'Report'
-        check_report_read_permissions(attachment.record)
+        can_read_project?(attachment.record.project)
      when 'User'
        # No read restrictions for avatars
        true
      when 'ZipExport', 'TeamZipExport'
-        check_zip_export_read_permissions(attachment.record)
+        attachment.record.user == current_user
      when 'TempFile'
-        check_temp_file_read_permissions(attachment.record)
+        attachment.record.session_id == request.session_options[:id].to_s
      else
-        render_403
+        false
      end
    end

    def check_asset_read_permissions(asset)
-      return render_403 unless asset
-
      if asset.step
        protocol = asset.step.protocol
-        render_403 unless can_read_protocol_in_module?(protocol) || can_read_protocol_in_repository?(protocol)
+        can_read_protocol_in_module?(protocol) || can_read_protocol_in_repository?(protocol)
      elsif asset.result
        experiment = asset.result.my_module.experiment
-        render_403 unless can_read_experiment?(experiment)
+        can_read_experiment?(experiment)
      elsif asset.repository_cell
        repository = asset.repository_cell.repository_column.repository
-        render_403 unless can_read_repository?(repository)
+        can_read_repository?(repository)
      else
-        render_403
+        false
      end
    end

    def check_tinymce_asset_read_permissions(asset)
-      return render_403 unless asset
-
      return true if asset.object.nil? && can_read_team?(asset.team)

      case asset.object_type
      when 'MyModule'
-        render_403 unless can_read_my_module?(asset.object)
+        can_read_my_module?(asset.object)
      when 'Protocol'
-        render_403 unless can_read_protocol_in_module?(asset.object) ||
-                          can_read_protocol_in_repository?(asset.object)
+        can_read_protocol_in_module?(asset.object) || can_read_protocol_in_repository?(asset.object)
      when 'ResultText'
-        render_403 unless can_read_my_module?(asset.object.result.my_module)
+        can_read_my_module?(asset.object.result.my_module)
      when 'StepText'
-        render_403 unless can_read_protocol_in_module?(asset.object.step.protocol) ||
-                          can_read_protocol_in_repository?(asset.object.step.protocol)
+        can_read_protocol_in_module?(asset.object.step.protocol) ||
+          can_read_protocol_in_repository?(asset.object.step.protocol)
      else
-        render_403
+        false
      end
    end
-
-    def check_experiment_read_permissions(experiment)
-      render_403 && return unless can_read_experiment?(experiment)
-    end
-
-    def check_report_read_permissions(report)
-      render_403 && return unless can_read_project?(report.project)
-    end
-
-    def check_zip_export_read_permissions(zip_export)
-      render_403 unless zip_export.user == current_user
-    end
-
-    def check_temp_file_read_permissions(temp_file)
-      render_403 unless temp_file.session_id == request.session_options[:id].to_s
-    end
  end
 end
--- a/app/models/repository_asset_value.rb
+++ b/app/models/repository_asset_value.rb
@ -76,6 +76,8 @@ class RepositoryAssetValue < ApplicationRecord
  def snapshot!(cell_snapshot)
    value_snapshot = dup
    asset_snapshot = asset.dup
+    # Needed to handle shared repositories from another teams
+    asset_snapshot.team_id = cell_snapshot.repository_column.repository.team_id

    asset_snapshot.save!