diff --git a/app/services/attachments/create_service.rb b/app/services/attachments/create_service.rb index 33f00f1586..850f6c13e0 100644 --- a/app/services/attachments/create_service.rb +++ b/app/services/attachments/create_service.rb @@ -31,6 +31,18 @@ class Attachments::CreateService < ::BaseServices::Create around_call :error_wrapped_call + ## + # Create an attachment service bypassing the user-provided whitelist + # for internal purposes such as exporting data. + # + # @param user The user to call the service with + # @param whitelist A custom whitelist to validate with, or empty to disable validation + # + # Warning: When passing an empty whitelist, this results in no validations on the content type taking place. + def self.bypass_whitelist(user:, whitelist: []) + new(user: user, contract_options: { whitelist: whitelist.map(&:to_s) }) + end + def persist(call) attachment = call.result if attachment.container diff --git a/app/workers/backup_job.rb b/app/workers/backup_job.rb index 964d5229ee..9d95183339 100644 --- a/app/workers/backup_job.rb +++ b/app/workers/backup_job.rb @@ -121,7 +121,7 @@ class BackupJob < ::ApplicationJob def store_backup(file_name, backup:, user:) File.open(file_name) do |file| call = Attachments::CreateService - .new(user: user) + .bypass_whitelist(user: user) .call(container: backup, filename: file_name, file: file, description: 'OpenProject backup') call.on_success do diff --git a/app/workers/work_packages/exports/export_job.rb b/app/workers/work_packages/exports/export_job.rb index c0a4544b05..ea09c48680 100644 --- a/app/workers/work_packages/exports/export_job.rb +++ b/app/workers/work_packages/exports/export_job.rb @@ -90,7 +90,7 @@ module WorkPackages def store_attachment(container, file) call = Attachments::CreateService - .new(user: User.current) + .bypass_whitelist(user: User.current) .call(container: container, file: file, filename: File.basename(file), description: '') call.on_success do diff --git a/modules/bim/app/controllers/bim/bcf/issues_controller.rb b/modules/bim/app/controllers/bim/bcf/issues_controller.rb index 6c5a33097e..3d3269dd64 100644 --- a/modules/bim/app/controllers/bim/bcf/issues_controller.rb +++ b/modules/bim/app/controllers/bim/bcf/issues_controller.rb @@ -215,7 +215,7 @@ module Bim def create_attachment filename = params[:bcf_file].original_filename call = Attachments::CreateService - .new(user: current_user) + .bypass_whitelist(user: current_user, whitelist: %w[application/zip]) .call(file: params[:bcf_file], filename: filename, description: filename) diff --git a/modules/bim/app/models/bim/ifc_models/ifc_model.rb b/modules/bim/app/models/bim/ifc_models/ifc_model.rb index 807606a8bd..940acb76fe 100644 --- a/modules/bim/app/models/bim/ifc_models/ifc_model.rb +++ b/modules/bim/app/models/bim/ifc_models/ifc_model.rb @@ -26,7 +26,7 @@ module Bim delete_attachment name call = ::Attachments::CreateService - .new(user: User.current) + .bypass_whitelist(user: User.current) .call(file: file, container: self, filename: file.original_filename, description: name) call.on_failure { Rails.logger.error "Failed to add #{name} attachment: #{call.message}" }