Bypass whitelist in internal services when conflicting with user

pull/9686/head
Oliver Günther 3 years ago
parent 2d3a246fa4
commit 15fc0846e6
No known key found for this signature in database
GPG Key ID: A3A8BDAD7C0C552C
  1. 12
      app/services/attachments/create_service.rb
  2. 2
      app/workers/backup_job.rb
  3. 2
      app/workers/work_packages/exports/export_job.rb
  4. 2
      modules/bim/app/controllers/bim/bcf/issues_controller.rb
  5. 2
      modules/bim/app/models/bim/ifc_models/ifc_model.rb

@ -31,6 +31,18 @@ class Attachments::CreateService < ::BaseServices::Create
around_call :error_wrapped_call
##
# Create an attachment service bypassing the user-provided whitelist
# for internal purposes such as exporting data.
#
# @param user The user to call the service with
# @param whitelist A custom whitelist to validate with, or empty to disable validation
#
# Warning: When passing an empty whitelist, this results in no validations on the content type taking place.
def self.bypass_whitelist(user:, whitelist: [])
new(user: user, contract_options: { whitelist: whitelist.map(&:to_s) })
end
def persist(call)
attachment = call.result
if attachment.container

@ -121,7 +121,7 @@ class BackupJob < ::ApplicationJob
def store_backup(file_name, backup:, user:)
File.open(file_name) do |file|
call = Attachments::CreateService
.new(user: user)
.bypass_whitelist(user: user)
.call(container: backup, filename: file_name, file: file, description: 'OpenProject backup')
call.on_success do

@ -90,7 +90,7 @@ module WorkPackages
def store_attachment(container, file)
call = Attachments::CreateService
.new(user: User.current)
.bypass_whitelist(user: User.current)
.call(container: container, file: file, filename: File.basename(file), description: '')
call.on_success do

@ -215,7 +215,7 @@ module Bim
def create_attachment
filename = params[:bcf_file].original_filename
call = Attachments::CreateService
.new(user: current_user)
.bypass_whitelist(user: current_user, whitelist: %w[application/zip])
.call(file: params[:bcf_file],
filename: filename,
description: filename)

@ -26,7 +26,7 @@ module Bim
delete_attachment name
call = ::Attachments::CreateService
.new(user: User.current)
.bypass_whitelist(user: User.current)
.call(file: file, container: self, filename: file.original_filename, description: name)
call.on_failure { Rails.logger.error "Failed to add #{name} attachment: #{call.message}" }

Loading…
Cancel
Save