diff --git a/app/controllers/api/active_storage_blobs_proxy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_controller.rb index f023f021..6f505992 100644 --- a/app/controllers/api/active_storage_blobs_proxy_controller.rb +++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb @@ -21,7 +21,11 @@ module Api blob = ActiveStorage::Blob.find_by!(uuid: blob_uuid) - authorization_check!(blob) if exp.blank? + attachment = blob.attachments.take + + @record = attachment.record + + authorization_check!(attachment) if exp.blank? if request.headers['Range'].present? send_blob_byte_range_data blob, request.headers['Range'] @@ -37,9 +41,7 @@ module Api private - def authorization_check!(blob) - attachment = blob.attachments.take - + def authorization_check!(attachment) is_authorized = attachment.name.in?(%w[logo preview_images]) || (current_user && attachment.record.account.id == current_user.account_id) || (current_user && !Docuseal.multitenant? && current_user.role == 'superadmin') || diff --git a/app/controllers/api/submitter_email_clicks_controller.rb b/app/controllers/api/submitter_email_clicks_controller.rb index 87221680..cef26542 100644 --- a/app/controllers/api/submitter_email_clicks_controller.rb +++ b/app/controllers/api/submitter_email_clicks_controller.rb @@ -6,10 +6,10 @@ module Api skip_authorization_check def create - submitter = Submitter.find_by!(slug: params[:submitter_slug]) + @submitter = Submitter.find_by!(slug: params[:submitter_slug]) - if params[:t] == SubmissionEvents.build_tracking_param(submitter, 'click_email') - SubmissionEvents.create_with_tracking_data(submitter, 'click_email', request) + if params[:t] == SubmissionEvents.build_tracking_param(@submitter, 'click_email') + SubmissionEvents.create_with_tracking_data(@submitter, 'click_email', request) end render json: {} diff --git a/app/controllers/api/submitter_form_views_controller.rb b/app/controllers/api/submitter_form_views_controller.rb index 98d7f5b5..e8b52095 100644 --- a/app/controllers/api/submitter_form_views_controller.rb +++ b/app/controllers/api/submitter_form_views_controller.rb @@ -6,15 +6,15 @@ module Api skip_authorization_check def create - submitter = Submitter.find_by!(slug: params[:submitter_slug]) + @submitter = Submitter.find_by!(slug: params[:submitter_slug]) - submitter.opened_at = Time.current - submitter.save + @submitter.opened_at = Time.current + @submitter.save - SubmissionEvents.create_with_tracking_data(submitter, 'view_form', request) + SubmissionEvents.create_with_tracking_data(@submitter, 'view_form', request) - WebhookUrls.for_account_id(submitter.account_id, 'form.viewed').each do |webhook_url| - SendFormViewedWebhookRequestJob.perform_async('submitter_id' => submitter.id, + WebhookUrls.for_account_id(@submitter.account_id, 'form.viewed').each do |webhook_url| + SendFormViewedWebhookRequestJob.perform_async('submitter_id' => @submitter.id, 'webhook_url_id' => webhook_url.id) end diff --git a/app/controllers/preview_document_page_controller.rb b/app/controllers/preview_document_page_controller.rb index 5bf42138..5e59e74a 100644 --- a/app/controllers/preview_document_page_controller.rb +++ b/app/controllers/preview_document_page_controller.rb @@ -12,6 +12,8 @@ class PreviewDocumentPageController < ActionController::API return head :not_found unless attachment + @template = attachment.record + preview_image = attachment.preview_images.joins(:blob) .find_by(blob: { filename: ["#{params[:id]}.png", "#{params[:id]}.jpg"] }) diff --git a/app/controllers/submissions_download_controller.rb b/app/controllers/submissions_download_controller.rb index e4af5f49..62836650 100644 --- a/app/controllers/submissions_download_controller.rb +++ b/app/controllers/submissions_download_controller.rb @@ -8,20 +8,20 @@ class SubmissionsDownloadController < ApplicationController FILES_TTL = 5.minutes def index - submitter = Submitter.find_signed(params[:sig], purpose: :download_completed) if params[:sig].present? + @submitter = Submitter.find_signed(params[:sig], purpose: :download_completed) if params[:sig].present? signature_valid = - if submitter&.slug == params[:submitter_slug] + if @submitter&.slug == params[:submitter_slug] true else - submitter = nil + @submitter = nil end - submitter ||= Submitter.find_by!(slug: params[:submitter_slug]) + @submitter ||= Submitter.find_by!(slug: params[:submitter_slug]) - Submissions::EnsureResultGenerated.call(submitter) + Submissions::EnsureResultGenerated.call(@submitter) - last_submitter = submitter.submission.submitters.where.not(completed_at: nil).order(:completed_at).last + last_submitter = @submitter.submission.submitters.where.not(completed_at: nil).order(:completed_at).last return head :not_found unless last_submitter @@ -34,7 +34,7 @@ class SubmissionsDownloadController < ApplicationController end if params[:combined] == 'true' - url = build_combined_url(submitter) + url = build_combined_url(@submitter) if url render json: [url] diff --git a/app/controllers/submit_form_download_controller.rb b/app/controllers/submit_form_download_controller.rb index 9be5c0ac..07447940 100644 --- a/app/controllers/submit_form_download_controller.rb +++ b/app/controllers/submit_form_download_controller.rb @@ -7,25 +7,25 @@ class SubmitFormDownloadController < ApplicationController FILES_TTL = 5.minutes def index - submitter = Submitter.find_by!(slug: params[:submit_form_slug]) + @submitter = Submitter.find_by!(slug: params[:submit_form_slug]) - return redirect_to submitter_download_index_path(submitter.slug) if submitter.completed_at? + return redirect_to submitter_download_index_path(@submitter.slug) if @submitter.completed_at? - return head :unprocessable_entity if submitter.declined_at? || - submitter.submission.archived_at? || - submitter.submission.expired? || - submitter.submission.template.archived_at? + return head :unprocessable_entity if @submitter.declined_at? || + @submitter.submission.archived_at? || + @submitter.submission.expired? || + @submitter.submission.template.archived_at? - last_completed_submitter = submitter.submission.submitters - .where.not(id: submitter.id) - .where.not(completed_at: nil) - .max_by(&:completed_at) + last_completed_submitter = @submitter.submission.submitters + .where.not(id: @submitter.id) + .where.not(completed_at: nil) + .max_by(&:completed_at) attachments = if last_completed_submitter Submitters.select_attachments_for_download(last_completed_submitter) else - submitter.submission.template.schema_documents.preload(:blob) + @submitter.submission.template.schema_documents.preload(:blob) end urls = attachments.map do |attachment| diff --git a/config/environments/production.rb b/config/environments/production.rb index fee6352c..36b0bfaa 100644 --- a/config/environments/production.rb +++ b/config/environments/production.rb @@ -134,7 +134,15 @@ Rails.application.configure do {} end + resource = controller.instance_variable_get(:@submitter) || + controller.instance_variable_get(:@submission) || + controller.instance_variable_get(:@template) || + controller.instance_variable_get(:@record) + + current_user = controller.instance_variable_get(:@current_user) + { + host: controller.request.host, fwd: controller.request.remote_ip, params: { id: params[:id], @@ -148,8 +156,10 @@ Rails.application.configure do params[:submit_form_slug] || params[:template_slug]).to_s.first(5) }.compact_blank, - host: controller.request.host, - uid: controller.instance_variable_get(:@current_user).try(:id) + uid: current_user.try(:id), + aid: current_user.try(:account_id), + rid: resource.try(:id), + raid: resource.try(:account_id) } end end