htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Respect subpath for (render_)protected_upload_path

Browse Source
This commit is contained in:
Sebastian Serth
2022-09-28 10:59:20 +02:00
parent 0b374491ac
commit 3263d4f838
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/code_ocean/files_controller.rb
View File

@@ -20,7 +20,7 @@ module CodeOcean
@file = CodeOcean::File.find(params[:id])
authorize!
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.name_with_extension != params[:filename]
raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename]
real_location = Pathname(@file.native_file.current_path).realpath
send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension, disposition: 'attachment')
@@ -33,7 +33,7 @@ module CodeOcean
@file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request)
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError unless @file.name_with_extension == params[:filename]
raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename]
real_location = Pathname(@file.native_file.current_path).realpath
send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension)

4
app/controllers/submissions_controller.rb
View File

@@ -62,7 +62,7 @@ class SubmissionsController < ApplicationController
raise Pundit::NotAuthorizedError if @embed_options[:disable_download]
if @file.native_file?
redirect_to protected_upload_path(id: @file.id, filename: @file.name_with_extension)
redirect_to protected_upload_path(id: @file.id, filename: @file.filepath)
else
send_data(@file.content, filename: @file.name_with_extension, disposition: 'attachment')
end
@@ -92,7 +92,7 @@ class SubmissionsController < ApplicationController
# Finally grant access and send the file
if @file.native_file?
url = render_protected_upload_url(id: @file.id, filename: @file.name_with_extension)
url = render_protected_upload_url(id: @file.id, filename: @file.filepath)
redirect_to AuthenticatedUrlHelper.sign(url, @file)
else
send_data(@file.content, filename: @file.name_with_extension, disposition: 'inline')