mirror of
https://github.com/scinote-eln/scinote-web.git
synced 2024-09-21 07:26:15 +08:00
Fix blob permissions check to support multiple attachments [SCI-5613]
This commit is contained in:
Oleksii Kriuchykhin
parent
fe8f006f6e
commit
f13f3691b1
|
|
@ -11,30 +11,32 @@ module ActiveStorage
|
|||
private
|
||||
|
||||
def check_read_permissions
|
||||
attachment = @blob.attachments.take
|
||||
return render_404 if attachment.blank?
|
||||
return render_404 if @blob.attachments.blank?
|
||||
|
||||
@blob.attachments.any? { |attachment| check_attachment_read_permissions(attachment) }
|
||||
end
|
||||
|
||||
def check_attachment_read_permissions(attachment)
|
||||
case attachment.record_type
|
||||
when 'Asset'
|
||||
check_asset_read_permissions
|
||||
check_asset_read_permissions(attachment.record)
|
||||
when 'TinyMceAsset'
|
||||
check_tinymce_asset_read_permissions
|
||||
check_tinymce_asset_read_permissions(attachment.record)
|
||||
when 'Experiment'
|
||||
check_experiment_read_permissions
|
||||
check_experiment_read_permissions(attachment.record)
|
||||
when 'Report'
|
||||
check_report_read_permissions
|
||||
check_report_read_permissions(attachment.record)
|
||||
when 'User'
|
||||
# No read restrictions for avatars
|
||||
true
|
||||
when 'ZipExport', 'TeamZipExport'
|
||||
check_zip_export_read_permissions
|
||||
check_zip_export_read_permissions(attachment.record)
|
||||
else
|
||||
render_403
|
||||
end
|
||||
end
|
||||
|
||||
def check_asset_read_permissions
|
||||
asset = @blob.attachments.first.record
|
||||
def check_asset_read_permissions(asset)
|
||||
return render_403 unless asset
|
||||
|
||||
if asset.step
|
||||
|
|
@ -51,8 +53,7 @@ module ActiveStorage
|
|||
end
|
||||
end
|
||||
|
||||
def check_tinymce_asset_read_permissions
|
||||
asset = @blob.attachments.first.record
|
||||
def check_tinymce_asset_read_permissions(asset)
|
||||
return render_403 unless asset
|
||||
return true if asset.object.nil? && asset.team == current_team
|
||||
|
||||
|
|
@ -72,16 +73,16 @@ module ActiveStorage
|
|||
end
|
||||
end
|
||||
|
||||
def check_experiment_read_permissions
|
||||
render_403 && return unless can_read_experiment?(@blob.attachments.first.record)
|
||||
def check_experiment_read_permissions(experiment)
|
||||
render_403 && return unless can_read_experiment?(experiment)
|
||||
end
|
||||
|
||||
def check_report_read_permissions
|
||||
render_403 && return unless can_read_project?(@blob.attachments.first.record.project)
|
||||
def check_report_read_permissions(report)
|
||||
render_403 && return unless can_read_project?(report.project)
|
||||
end
|
||||
|
||||
def check_zip_export_read_permissions
|
||||
render_403 unless @blob.attachments.first.record.user == current_user
|
||||
def check_zip_export_read_permissions(zip_export)
|
||||
render_403 unless zip_export.user == current_user
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in a new issue