htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Respect subpath for (render_)protected_upload_path

Browse Source
This commit is contained in:
Sebastian Serth
2022-09-28 10:59:20 +02:00
parent 0b374491ac
commit 3263d4f838
3 changed files with 6 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
app/controllers/code_ocean/files_controller.rb
View File

@ -20,7 +20,7 @@ module CodeOcean
@file = CodeOcean::File.find(params[:id])
authorize!
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.name_with_extension != params[:filename]
raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename]
real_location = Pathname(@file.native_file.current_path).realpath
send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension, disposition: 'attachment')
@ -33,7 +33,7 @@ module CodeOcean
@file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request)
# The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
raise Pundit::NotAuthorizedError unless @file.name_with_extension == params[:filename]
raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename]
real_location = Pathname(@file.native_file.current_path).realpath
send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension)