From 7d154fc28df7bace1c06112a8602451ea9bb2db1 Mon Sep 17 00:00:00 2001 From: Pete Matsyburka Date: Mon, 19 Feb 2024 21:13:56 +0200 Subject: [PATCH] use message verifier purpose --- app/controllers/api/active_storage_blobs_proxy_controller.rb | 4 ++-- .../api/active_storage_blobs_proxy_legacy_controller.rb | 3 ++- app/controllers/preview_document_page_controller.rb | 2 +- config/initializers/active_storage.rb | 4 ++-- 4 files changed, 7 insertions(+), 6 deletions(-) diff --git a/app/controllers/api/active_storage_blobs_proxy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_controller.rb index a5a19c72..d6c7953b 100644 --- a/app/controllers/api/active_storage_blobs_proxy_controller.rb +++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb @@ -8,9 +8,9 @@ module Api skip_authorization_check def show - blob_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid]) + blob_uuid, = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid]) - unless blob_uuid + if blob_uuid.blank? Rollbar.error('Blob not found') if defined?(Rollbar) return head :not_found diff --git a/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb index cf72a3d2..fca401f1 100644 --- a/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb +++ b/app/controllers/api/active_storage_blobs_proxy_legacy_controller.rb @@ -15,7 +15,8 @@ module Api is_permitted = blob.attachments.any? do |a| (current_user && a.record.account.id == current_user.account_id) || - a.record.account.account_configs.any? { |e| e.key == 'legacy_blob_proxy' } + a.record.account.account_configs.any? { |e| e.key == 'legacy_blob_proxy' } || + a.name == 'logo' end unless is_permitted diff --git a/app/controllers/preview_document_page_controller.rb b/app/controllers/preview_document_page_controller.rb index ef05cbbd..ef332715 100644 --- a/app/controllers/preview_document_page_controller.rb +++ b/app/controllers/preview_document_page_controller.rb @@ -6,7 +6,7 @@ class PreviewDocumentPageController < ActionController::API FORMAT = Templates::ProcessDocument::FORMAT def show - attachment_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid]) + attachment_uuid = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid], purpose: :attachment) attachment = if attachment_uuid diff --git a/config/initializers/active_storage.rb b/config/initializers/active_storage.rb index 0396624b..d7a0d458 100644 --- a/config/initializers/active_storage.rb +++ b/config/initializers/active_storage.rb @@ -6,7 +6,7 @@ ActiveSupport.on_load(:active_storage_attachment) do has_many_attached :preview_images def signed_uuid - @signed_uuid ||= ApplicationRecord.signed_id_verifier.generate(uuid, expires_in: 6.hours) + @signed_uuid ||= ApplicationRecord.signed_id_verifier.generate(uuid, expires_in: 6.hours, purpose: :attachment) end def preview_image_url @@ -37,7 +37,7 @@ ActiveSupport.on_load(:active_storage_blob) do end def signed_uuid(expires_in: nil) - ApplicationRecord.signed_id_verifier.generate(uuid, expires_in:) + ApplicationRecord.signed_id_verifier.generate([uuid, 'blob'], expires_in:) end def delete