htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor render_file method

Browse Source 
* We simplify the send_data call,
* ensure to set the correct header, and
* prevent our custom MIME type detection
This commit is contained in:
Sebastian Serth
2022-09-03 21:25:50 +02:00
parent b6d8c7175b
commit 5b73f4df6f
1 changed files with 9 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
app/controllers/submissions_controller.rb
View File

@ -12,7 +12,7 @@ class SubmissionsController < ApplicationController
before_action :set_testrun, only: %i[run score test] before_action :set_testrun, only: %i[run score test]
before_action :set_files, only: %i[download show] before_action :set_files, only: %i[download show]
before_action :set_files_and_specific_file, only: %i[download_file render_file run test] before_action :set_files_and_specific_file, only: %i[download_file render_file run test]
before_action :set_mime_type, only: %i[download_file render_file] before_action :set_content_type_nosniff, only: %i[download download_file render_file]
# Overwrite the CSP header for the :render_file action # Overwrite the CSP header for the :render_file action
content_security_policy only: :render_file do |policy| content_security_policy only: :render_file do |policy|
@ -69,7 +69,7 @@ class SubmissionsController < ApplicationController
if @file.native_file? if @file.native_file?
redirect_to protected_upload_path(id: @file.id, filename: @file.name_with_extension) redirect_to protected_upload_path(id: @file.id, filename: @file.name_with_extension)
else else
send_data(@file.content, filename: @file.name_with_extension) send_data(@file.content, filename: @file.name_with_extension, disposition: 'attachment')
end end
end end
@ -80,11 +80,10 @@ class SubmissionsController < ApplicationController
end end
def render_file def render_file
if @file.native_file? # If a file should not be downloaded, it should not be rendered either
send_data(@file.read, filename: @file.name_with_extension, disposition: 'inline') raise Pundit::NotAuthorizedError if @embed_options[:disable_download]
else
render(plain: @file.content) send_data(@file.read, filename: @file.name_with_extension, disposition: 'inline')
end
end end
# rubocop:disable Metrics/CyclomaticComplexity # rubocop:disable Metrics/CyclomaticComplexity
@ -380,9 +379,9 @@ class SubmissionsController < ApplicationController
@files = @submission.collect_files.select(&:visible) @files = @submission.collect_files.select(&:visible)
end end
def set_mime_type def set_content_type_nosniff
@mime_type = Mime::Type.lookup_by_extension(@file.file_type.file_extension.gsub(/^\./, '')) # When sending a file, we want to ensure that browsers follow our Content-Type header
response.headers['Content-Type'] = @mime_type.to_s response.headers['X-Content-Type-Options'] = 'nosniff'
end end
def set_submission def set_submission