htwkmooc/codeocean
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Use render_host for download_submission_file

Browse Source
This commit is contained in:
Sebastian Serth
2023-12-22 00:54:25 +01:00
committed by Sebastian Serth
parent 17dd8b1267
commit 8fd5829110
3 changed files with 18 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
app/controllers/live_streams_controller.rb
View File

@ -5,8 +5,16 @@ class LiveStreamsController < ApplicationController
# Therefore, it is extracted into a separate controller
include ActionController::Live
skip_before_action :deny_access_from_render_host, only: :download_submission_file
skip_before_action :verify_authenticity_token, only: :download_submission_file
skip_before_action :set_sentry_context, only: :download_submission_file
before_action :require_user!, except: :download_submission_file
def download_submission_file
@submission = authorize AuthenticatedUrlHelper.retrieve!(Submission, request, force_render_host: false)
@submission = AuthenticatedUrlHelper.retrieve!(Submission, request)
# Set @current_user with the corresponding learner for Pundit checks
@current_user = @submission.user
authorize @submission
rescue Pundit::NotAuthorizedError
# TODO: Option to disable?
# Using the submission ID parameter would allow looking up the corresponding exercise ID

3
app/controllers/submissions_controller.rb
View File

@ -498,6 +498,7 @@ class SubmissionsController < ApplicationController
def augment_files_for_download(files)
submission_files = @submission.collect_files + @submission.exercise.files
host = ApplicationController::RENDER_HOST || request.host
files.filter_map do |file|
# Reject files that were already present in the submission
# We further reject files that share the same name (excl. file extension) and path as a file in the submission
@ -505,7 +506,7 @@ class SubmissionsController < ApplicationController
next if submission_files.any? {|submission_file| submission_file.filepath_without_extension == file.filepath_without_extension }
# Downloadable files get a signed download_path and an indicator whether we performed a privileged execution
file.download_path = AuthenticatedUrlHelper.sign(download_stream_file_submission_url(@submission, file.filepath), @submission)
file.download_path = AuthenticatedUrlHelper.sign(download_stream_file_submission_url(@submission, file.filepath, host:), @submission)
file.privileged_execution = @submission.execution_environment.privileged_execution
file
end