mirror of
https://github.com/scinote-eln/scinote-web.git
synced 2024-11-19 07:32:34 +08:00
97 lines
3.1 KiB
Ruby
97 lines
3.1 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
module ActiveStorage
|
|
module CheckBlobPermissions
|
|
extend ActiveSupport::Concern
|
|
|
|
included do
|
|
before_action :check_read_permissions
|
|
end
|
|
|
|
private
|
|
|
|
def check_read_permissions
|
|
return render_404 if @blob.attachments.blank?
|
|
|
|
@blob.attachments.any? { |attachment| check_attachment_read_permissions(attachment) }
|
|
end
|
|
|
|
def check_attachment_read_permissions(attachment)
|
|
current_user.permission_team = attachment.record.team || current_team if attachment.record.respond_to?(:team)
|
|
|
|
case attachment.record_type
|
|
when 'Asset'
|
|
check_asset_read_permissions(attachment.record)
|
|
when 'TinyMceAsset'
|
|
check_tinymce_asset_read_permissions(attachment.record)
|
|
when 'Experiment'
|
|
check_experiment_read_permissions(attachment.record)
|
|
when 'Report'
|
|
check_report_read_permissions(attachment.record)
|
|
when 'User'
|
|
# No read restrictions for avatars
|
|
true
|
|
when 'ZipExport', 'TeamZipExport'
|
|
check_zip_export_read_permissions(attachment.record)
|
|
when 'TempFile'
|
|
check_temp_file_read_permissions(attachment.record)
|
|
else
|
|
render_403
|
|
end
|
|
end
|
|
|
|
def check_asset_read_permissions(asset)
|
|
return render_403 unless asset
|
|
|
|
if asset.step
|
|
protocol = asset.step.protocol
|
|
render_403 unless can_read_protocol_in_module?(protocol) || can_read_protocol_in_repository?(protocol)
|
|
elsif asset.result
|
|
experiment = asset.result.my_module.experiment
|
|
render_403 unless can_read_experiment?(experiment)
|
|
elsif asset.repository_cell
|
|
repository = asset.repository_cell.repository_column.repository
|
|
render_403 unless can_read_repository?(repository)
|
|
else
|
|
render_403
|
|
end
|
|
end
|
|
|
|
def check_tinymce_asset_read_permissions(asset)
|
|
return render_403 unless asset
|
|
|
|
return true if asset.object.nil? && can_read_team?(asset.team)
|
|
|
|
case asset.object_type
|
|
when 'MyModule'
|
|
render_403 unless can_read_my_module?(asset.object)
|
|
when 'Protocol'
|
|
render_403 unless can_read_protocol_in_module?(asset.object) ||
|
|
can_read_protocol_in_repository?(asset.object)
|
|
when 'ResultText'
|
|
render_403 unless can_read_my_module?(asset.object.result.my_module)
|
|
when 'StepText'
|
|
render_403 unless can_read_protocol_in_module?(asset.object.step.protocol) ||
|
|
can_read_protocol_in_repository?(asset.object.step.protocol)
|
|
else
|
|
render_403
|
|
end
|
|
end
|
|
|
|
def check_experiment_read_permissions(experiment)
|
|
render_403 && return unless can_read_experiment?(experiment)
|
|
end
|
|
|
|
def check_report_read_permissions(report)
|
|
render_403 && return unless can_read_project?(report.project)
|
|
end
|
|
|
|
def check_zip_export_read_permissions(zip_export)
|
|
render_403 unless zip_export.user == current_user
|
|
end
|
|
|
|
def check_temp_file_read_permissions(temp_file)
|
|
render_403 unless temp_file.session_id == request.session_options[:id].to_s
|
|
end
|
|
end
|
|
end
|