openproject/lib/api/v3/attachments/attachments_api.rb

#-- copyright
# OpenProject is an open source project management software.
# Copyright (C) 2012-2021 the OpenProject GmbH
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License version 3.
#
# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:
# Copyright (C) 2006-2013 Jean-Philippe Lang
# Copyright (C) 2010-2013 the ChiliProject Team
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation; either version 2
# of the License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
#
# See docs/COPYRIGHT.rdoc for more details.
#++

require 'api/v3/attachments/attachment_representer'

module API
  module V3
    module Attachments
      class AttachmentsAPI < ::API::OpenProjectAPI
        resources :attachments do
          helpers API::V3::Attachments::AttachmentsByContainerAPI::Helpers

          helpers do
            def container
              nil
            end
          end

          post &API::V3::Attachments::AttachmentsByContainerAPI.create

          namespace :prepare do
            post &API::V3::Attachments::AttachmentsByContainerAPI.prepare
          end

          route_param :id, type: Integer, desc: 'Attachment ID' do
            after_validation do
              @attachment = Attachment.find(params[:id])

              raise ::API::Errors::NotFound.new unless @attachment.visible?(current_user)
            end

            get do
              AttachmentRepresenter.new(@attachment, embed_links: true, current_user: current_user)
            end

            delete &::API::V3::Utilities::Endpoints::Delete.new(model: Attachment).mount

            namespace :content, &::API::Helpers::AttachmentRenderer.content_endpoint(&-> {
              @attachment
            })

            namespace :uploaded do
              get do
                attachment = Attachment.pending_direct_uploads.where(id: params[:id]).first!

                raise API::Errors::NotFound unless attachment.file.readable?

                ::Attachments::FinishDirectUploadJob.perform_later attachment.id

                ::API::V3::Attachments::AttachmentRepresenter.new(attachment, current_user: current_user)
              end
            end
          end
        end
      end
    end
  end
end
Add missing Copyright headers in lib (API) code [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com> 10 years ago			`#-- copyright`
Update copyright notice 5 years ago			`# OpenProject is an open source project management software.`
update copyright to 2021 (#8925) Updates the copyright to 2021 for all files that have a copyright. Files in our source code without the copyright header still do not receive one automatically. Additionally, backlisted files are also excluded. Previously the copyright of chiliproject which references redmine stated a copyright of redmine up to and including 2017 which is not true for the code we have in here. Because of that I changed that to 2013 4 years ago			`# Copyright (C) 2012-2021 the OpenProject GmbH`
Add missing Copyright headers in lib (API) code [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com> 10 years ago			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License version 3.`
			`#`
			`# OpenProject is a fork of ChiliProject, which is a fork of Redmine. The copyright follows:`
update copyright to 2021 (#8925) Updates the copyright to 2021 for all files that have a copyright. Files in our source code without the copyright header still do not receive one automatically. Additionally, backlisted files are also excluded. Previously the copyright of chiliproject which references redmine stated a copyright of redmine up to and including 2017 which is not true for the code we have in here. Because of that I changed that to 2013 4 years ago			`# Copyright (C) 2006-2013 Jean-Philippe Lang`
Add missing Copyright headers in lib (API) code [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com> 10 years ago			`# Copyright (C) 2010-2013 the ChiliProject Team`
			`#`
			`# This program is free software; you can redistribute it and/or`
			`# modify it under the terms of the GNU General Public License`
			`# as published by the Free Software Foundation; either version 2`
			`# of the License, or (at your option) any later version.`
			`#`
			`# This program is distributed in the hope that it will be useful,`
			`# but WITHOUT ANY WARRANTY; without even the implied warranty of`
			`# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
			`# GNU General Public License for more details.`
			`#`
			`# You should have received a copy of the GNU General Public License`
			`# along with this program; if not, write to the Free Software`
			`# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.`
			`#`
Bump copyright to 2018 (#6171) [ci skip] 7 years ago			`# See docs/COPYRIGHT.rdoc for more details.`
Add missing Copyright headers in lib (API) code [ci skip] Signed-off-by: Alex Coles <alex@alexbcoles.com> 10 years ago			`#++`

specify classes explicitly rather than implicitly This is a new try for the APIv3 classes, we either: - FULLY qualify a class and let the autoloader do the rest - don't qualify at all, but require the class explicitly Thus we do not (yet) completely give up on the rails autoloader, but we circumvent a fair amount of its magic (and problems). The hope is to eliminate the following problems in development mode: - NameErrors because the autoloader infers the wrong prefix - "object is not missing constant" errors occuring more rarely Let's see how that turns out to work... 10 years ago			`require 'api/v3/attachments/attachment_representer'`

Created show attachment API endpoint 11 years ago			`module API`
			`module V3`
			`module Attachments`
allow to patch existing API endpoints 10 years ago			`class AttachmentsAPI < ::API::OpenProjectAPI`
Created show attachment API endpoint 11 years ago			`resources :attachments do`
add endpoint for unattached attachments 7 years ago			`helpers API::V3::Attachments::AttachmentsByContainerAPI::Helpers`

			`helpers do`
			`def container`
			`nil`
			`end`
			`end`

[37868] Whitelist for attachment mime types and extensions on upload (#9431) * Add setting for whitelist * Make attachments API BaseServices compatible * Add prepare service and contract * Correctly pass the filename to the UploadedFile * Add presence check to filename * Fix expected validation message * We no longer raise a multipart error when metadata is empty * Fix filesize validation on prepared uploads * Add parser error if invalid metadata json * When attachment is not saved, use filename property * Return correct error message on JSON parser erroro * Fix specs * Use attachment upload representer * Fix direct uploads mocks with new service layer * Lint * Fix export job using attachment service * Fix IFC controller using attachment prepare service * Fix export job * RenameRename params_getter to params_source * Fix mail handler using attachment service * Fix usage of attachment create service in documents * Reuse shared examples for document attachment spec * Fix stubbed attachment service in export job spec * Use admin user in backup spec * Fix export job for bim * Fix attachment integration spec * Fix issues_controller spec * Make budget resource spec reuse common examples * Fix attachment parsing representer spec * Replace prepare part of attachment spec into separate service spec * Clear cache for login spec * Convert document create/update into services * Budget services * Allow options to be passed to property twin * Remove setting author on budget initialize * Replace meetings update with services * Replace ifc models attachment handling with services * Don't check uploader if changed by system * Fix uploader being changed by system * Replace wiki page attach_files with attachable services * Replace avatar saving * Replace snapshot attach_files * Skip double validation when container present * Set snapshot through attachment service * Remove attach_files * Validate content type in contract * Enforce writing the content type without accepting user input * Expect changed content_type * Fix content of viewpoint image to get correct content type * Fix tsv spec * Add create contract spec * Bypass whitelist in internal services when conflicting with user * Fix expects in specs after whitelist bypass * Render contract errors for wiki * Add before_hook to bodied to allow to pre-authorize permissions * Budget errors from contract * Document errors from contract 3 years ago			`post &API::V3::Attachments::AttachmentsByContainerAPI.create`
direct uploads to S3 for attachments including IFC models Co-authored-by: Oliver Günther <mail@oliverguenther.de> 4 years ago
			`namespace :prepare do`
[37868] Whitelist for attachment mime types and extensions on upload (#9431) * Add setting for whitelist * Make attachments API BaseServices compatible * Add prepare service and contract * Correctly pass the filename to the UploadedFile * Add presence check to filename * Fix expected validation message * We no longer raise a multipart error when metadata is empty * Fix filesize validation on prepared uploads * Add parser error if invalid metadata json * When attachment is not saved, use filename property * Return correct error message on JSON parser erroro * Fix specs * Use attachment upload representer * Fix direct uploads mocks with new service layer * Lint * Fix export job using attachment service * Fix IFC controller using attachment prepare service * Fix export job * RenameRename params_getter to params_source * Fix mail handler using attachment service * Fix usage of attachment create service in documents * Reuse shared examples for document attachment spec * Fix stubbed attachment service in export job spec * Use admin user in backup spec * Fix export job for bim * Fix attachment integration spec * Fix issues_controller spec * Make budget resource spec reuse common examples * Fix attachment parsing representer spec * Replace prepare part of attachment spec into separate service spec * Clear cache for login spec * Convert document create/update into services * Budget services * Allow options to be passed to property twin * Remove setting author on budget initialize * Replace meetings update with services * Replace ifc models attachment handling with services * Don't check uploader if changed by system * Fix uploader being changed by system * Replace wiki page attach_files with attachable services * Replace avatar saving * Replace snapshot attach_files * Skip double validation when container present * Set snapshot through attachment service * Remove attach_files * Validate content type in contract * Enforce writing the content type without accepting user input * Expect changed content_type * Fix content of viewpoint image to get correct content type * Fix tsv spec * Add create contract spec * Bypass whitelist in internal services when conflicting with user * Fix expects in specs after whitelist bypass * Render contract errors for wiki * Add before_hook to bodied to allow to pre-authorize permissions * Budget errors from contract * Document errors from contract 3 years ago			`post &API::V3::Attachments::AttachmentsByContainerAPI.prepare`
add endpoint for unattached attachments 7 years ago			`end`

Avoid before blocks and raw params access for IDs Grape's validation runs after a `before` block so we should avoid using raw params there and instead using `declared(params)` which returns only the validated whitelisted params, much like a permitted params hash. 6 years ago			`route_param :id, type: Integer, desc: 'Attachment ID' do`
			`after_validation do`
Created show attachment API endpoint 11 years ago			`@attachment = Attachment.find(params[:id])`
rework attachments endpoint according to spec - drop useless properties - add essential properties - for now limit to work packages only 10 years ago
extend attachments api to wiki_pages 7 years ago			`raise ::API::Errors::NotFound.new unless @attachment.visible?(current_user)`
Created show attachment API endpoint 11 years ago			`end`

			`get do`
extend attachments api to wiki_pages 7 years ago			`AttachmentRepresenter.new(@attachment, embed_links: true, current_user: current_user)`
Created show attachment API endpoint 11 years ago			`end`
delete attachments via APIv3 10 years ago
have a delete service for attachments 5 years ago			`delete &::API::V3::Utilities::Endpoints::Delete.new(model: Attachment).mount`
add download endpoint to attachment resource 7 years ago
Fix/bump gems (#8770) * bump aws-sdk-core * bump danger * bump parser * bump grape - stream related header setting bug has been fixed * reapply cache headers on stream as grape insists on niling them * bump aws-partitions * bump regexp_parser * bump rubocop * bump webmock 4 years ago			`namespace :content, &::API::Helpers::AttachmentRenderer.content_endpoint(&-> {`
			`@attachment`
			`})`
direct uploads to S3 for attachments including IFC models Co-authored-by: Oliver Günther <mail@oliverguenther.de> 4 years ago
			`namespace :uploaded do`
			`get do`
			`attachment = Attachment.pending_direct_uploads.where(id: params[:id]).first!`

			`raise API::Errors::NotFound unless attachment.file.readable?`

			`::Attachments::FinishDirectUploadJob.perform_later attachment.id`

			`::API::V3::Attachments::AttachmentRepresenter.new(attachment, current_user: current_user)`
			`end`
			`end`
Created show attachment API endpoint 11 years ago			`end`
			`end`
			`end`
			`end`
			`end`
			`end`