use message verifier purpose

2 years ago · 7d154fc28d
parent 6727d3be83
commit 7d154fc28d
4 changed files with 7 additions and 6 deletions
--- a/app/controllers/api/active_storage_blobs_proxy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb
@ -8,9 +8,9 @@ module Api
    skip_authorization_check

    def show
-      blob_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])
+      blob_uuid, = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])

-      unless blob_uuid
+      if blob_uuid.blank?
        Rollbar.error('Blob not found') if defined?(Rollbar)

        return head :not_found
--- a/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb
@ -15,7 +15,8 @@ module Api

      is_permitted = blob.attachments.any? do |a|
        (current_user && a.record.account.id == current_user.account_id) ||
-          a.record.account.account_configs.any? { |e| e.key == 'legacy_blob_proxy' }
+          a.record.account.account_configs.any? { |e| e.key == 'legacy_blob_proxy' } ||
+          a.name == 'logo'
      end

      unless is_permitted
--- a/app/controllers/preview_document_page_controller.rb
+++ b/app/controllers/preview_document_page_controller.rb
@ -6,7 +6,7 @@ class PreviewDocumentPageController < ActionController::API
  FORMAT = Templates::ProcessDocument::FORMAT

  def show
-    attachment_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])
+    attachment_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid], purpose: :attachment)

    attachment =
      if attachment_uuid
--- a/config/initializers/active_storage.rb
+++ b/config/initializers/active_storage.rb
@ -6,7 +6,7 @@ ActiveSupport.on_load(:active_storage_attachment) do
  has_many_attached :preview_images

  def signed_uuid
-    @signed_uuid ||= ApplicationRecord.signed_id_verifier.generate(uuid, expires_in: 6.hours)
+    @signed_uuid ||= ApplicationRecord.signed_id_verifier.generate(uuid, expires_in: 6.hours, purpose: :attachment)
  end

  def preview_image_url
@ -37,7 +37,7 @@ ActiveSupport.on_load(:active_storage_blob) do
  end

  def signed_uuid(expires_in: nil)
-    ApplicationRecord.signed_id_verifier.generate(uuid, expires_in:)
+    ApplicationRecord.signed_id_verifier.generate([uuid, 'blob'], expires_in:)
  end

  def delete