Respect subpath for (render_)protected_upload_path

2022-09-28 10:59:20 +02:00
parent 0b374491ac
commit 3263d4f838
3 changed files with 6 additions and 6 deletions
--- a/app/controllers/code_ocean/files_controller.rb
+++ b/app/controllers/code_ocean/files_controller.rb
@ -20,7 +20,7 @@ module CodeOcean
      @file = CodeOcean::File.find(params[:id])
      authorize!
      # The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
-      raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.name_with_extension != params[:filename]
+      raise Pundit::NotAuthorizedError if @embed_options[:disable_download] || @file.filepath != params[:filename]
      real_location = Pathname(@file.native_file.current_path).realpath
      send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension, disposition: 'attachment')
@ -33,7 +33,7 @@ module CodeOcean
      @file = authorize AuthenticatedUrlHelper.retrieve!(CodeOcean::File, request)
      # The `@file.name_with_extension` is assembled based on the user-selected file type, not on the actual file name stored on disk.
-      raise Pundit::NotAuthorizedError unless @file.name_with_extension == params[:filename]
+      raise Pundit::NotAuthorizedError unless @file.filepath == params[:filename]
      real_location = Pathname(@file.native_file.current_path).realpath
      send_file(real_location, type: @file.native_file.content_type, filename: @file.name_with_extension)
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@ -62,7 +62,7 @@ class SubmissionsController < ApplicationController
    raise Pundit::NotAuthorizedError if @embed_options[:disable_download]
    if @file.native_file?
-      redirect_to protected_upload_path(id: @file.id, filename: @file.name_with_extension)
+      redirect_to protected_upload_path(id: @file.id, filename: @file.filepath)
    else
      send_data(@file.content, filename: @file.name_with_extension, disposition: 'attachment')
    end
@ -92,7 +92,7 @@ class SubmissionsController < ApplicationController
    # Finally grant access and send the file
    if @file.native_file?
-      url = render_protected_upload_url(id: @file.id, filename: @file.name_with_extension)
+      url = render_protected_upload_url(id: @file.id, filename: @file.filepath)
      redirect_to AuthenticatedUrlHelper.sign(url, @file)
    else
      send_data(@file.content, filename: @file.name_with_extension, disposition: 'inline')
--- a/spec/controllers/submissions_controller_spec.rb
+++ b/spec/controllers/submissions_controller_spec.rb
@ -76,7 +76,7 @@ describe SubmissionsController do
        expect_assigns(submission: :submission)
        it 'sets the correct redirect' do
-          expect(response.location).to eq protected_upload_url(id: file, filename: file.name_with_extension)
+          expect(response.location).to eq protected_upload_url(id: file, filename: file.filepath)
        end
      end
@ -127,7 +127,7 @@ describe SubmissionsController do
      context 'with a binary file' do
        let(:file) { submission.collect_files.detect {|file| file.file_type.file_extension == '.mp4' } }
-        let(:signed_url_video) { AuthenticatedUrlHelper.sign(render_protected_upload_url(id: file, filename: file.name_with_extension), file) }
+        let(:signed_url_video) { AuthenticatedUrlHelper.sign(render_protected_upload_url(id: file, filename: file.filepath), file) }
        expect_assigns(file: :file)
        expect_assigns(submission: :submission)