From 6727d3be83620959fe36a533765fb9a16a368a0d Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Mon, 19 Feb 2024 17:07:37 +0200
Subject: [PATCH] adjust blob proxy

---
 .../api/active_storage_blobs_proxy_controller.rb    |  6 +++++-
 .../active_storage_blobs_proxy_legacy_controller.rb | 13 +++++++++----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/app/controllers/api/active_storage_blobs_proxy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_controller.rb
index af634a5e..a5a19c72 100644
--- a/app/controllers/api/active_storage_blobs_proxy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb
@@ -10,7 +10,11 @@ module Api
     def show
       blob_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])
 
-      return head :not_found unless blob_uuid
+      unless blob_uuid
+        Rollbar.error('Blob not found') if defined?(Rollbar)
+
+        return head :not_found
+      end
 
       blob = ActiveStorage::Blob.find_by!(uuid: blob_uuid)
 
diff --git a/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
index 9be8a931..cf72a3d2 100644
--- a/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
@@ -7,17 +7,21 @@ module Api
     skip_before_action :authenticate_user!
     skip_authorization_check
 
+    # rubocop:disable Metrics
     def show
       Rollbar.info('Blob legacy') if defined?(Rollbar)
 
-      return render json: { error: 'Not authenticated' }, status: :unauthorized unless current_user
-
       blob = ActiveStorage::Blob.find_signed!(params[:signed_blob_id] || params[:signed_id])
 
-      if blob.attachments.none? { |a| a.record.account.id == current_user.account_id }
+      is_permitted = blob.attachments.any? do |a|
+        (current_user && a.record.account.id == current_user.account_id) ||
+          a.record.account.account_configs.any? { |e| e.key == 'legacy_blob_proxy' }
+      end
+
+      unless is_permitted
         Rollbar.error("Blob account not found: #{blob.id}") if defined?(Rollbar)
 
-        return head :not_found
+        return render json: { error: 'Not authenticated' }, status: :unauthorized
       end
 
       if request.headers['Range'].present?
@@ -31,5 +35,6 @@ module Api
         end
       end
     end
+    # rubocop:enable Metrics
   end
 end