diff --git a/app/controllers/submissions_debug_controller.rb b/app/controllers/submissions_debug_controller.rb index 4a6e8b9d..b9a137d0 100644 --- a/app/controllers/submissions_debug_controller.rb +++ b/app/controllers/submissions_debug_controller.rb @@ -9,7 +9,7 @@ class SubmissionsDebugController < ApplicationController def index @submitter = Submitter.preload({ attachments_attachments: :blob }, submission: { template: { documents_attachments: :blob } }) - .find_by(slug: params[:submitter_slug]) + .find_by(slug: params[:submit_form_slug]) respond_to do |f| f.html do diff --git a/app/controllers/submissions_download_controller.rb b/app/controllers/submissions_download_controller.rb index 98e369be..74287451 100644 --- a/app/controllers/submissions_download_controller.rb +++ b/app/controllers/submissions_download_controller.rb @@ -1,52 +1,25 @@ # frozen_string_literal: true class SubmissionsDownloadController < ApplicationController - skip_before_action :authenticate_user! - skip_authorization_check - - TTL = 40.minutes + load_and_authorize_resource :submission def index - @submission = Submission.find_by!(slug: params[:submission_slug] || params[:submissions_preview_slug]) - last_submitter = @submission.submitters.where.not(completed_at: nil).order(:completed_at).last - Submissions::EnsureResultGenerated.call(last_submitter) + return head :not_found unless last_submitter - unless current_user_submitter?(last_submitter) - unless Submitters::AuthorizedForForm.call(last_submitter, current_user, request) - Rollbar.info("2FA download error: #{last_submitter.id}") if defined?(Rollbar) - - return head :not_found - end + Submissions::EnsureResultGenerated.call(last_submitter) - if last_submitter.completed_at < TTL.ago - Rollbar.info("TTL: #{last_submitter.id}") if defined?(Rollbar) + if params[:combined] == 'true' + url = Submitters.build_combined_url(last_submitter) - return head :not_found + if url + render json: [url] + else + head :not_found end - end - - if params[:combined] == 'true' - respond_with_combined(last_submitter) else render json: Submitters.build_document_urls(last_submitter) end end - - private - - def respond_with_combined(submitter) - url = Submitters.build_combined_url(submitter) - - if url - render json: [url] - else - head :not_found - end - end - - def current_user_submitter?(submitter) - current_user && current_ability.can?(:read, submitter) - end end diff --git a/app/controllers/submissions_preview_controller.rb b/app/controllers/submissions_preview_controller.rb index 10e45358..ed83c407 100644 --- a/app/controllers/submissions_preview_controller.rb +++ b/app/controllers/submissions_preview_controller.rb @@ -38,7 +38,7 @@ class SubmissionsPreviewController < ApplicationController @submission = Submissions.preload_with_pages(@submission) - render 'submissions/show', layout: 'plain' + render 'submissions/show', layout: 'plain', locals: { is_preview: true } end def completed diff --git a/app/controllers/submissions_preview_download_controller.rb b/app/controllers/submissions_preview_download_controller.rb new file mode 100644 index 00000000..da50785a --- /dev/null +++ b/app/controllers/submissions_preview_download_controller.rb @@ -0,0 +1,64 @@ +# frozen_string_literal: true + +class SubmissionsPreviewDownloadController < ApplicationController + skip_before_action :authenticate_user! + skip_authorization_check + + TTL = 40.minutes + + def index + @submission = Submission.find_by!(slug: params[:submission_slug] || params[:submissions_preview_slug]) + + last_submitter = @submission.submitters.where.not(completed_at: nil).order(:completed_at).last + + return head :not_found unless last_submitter + + Submissions::EnsureResultGenerated.call(last_submitter) + + unless current_user_submission?(@submission) + if use_2fa?(@submission) + Rollbar.info("2FA download error: #{last_submitter.id}") if defined?(Rollbar) + + return head :not_found + end + + if last_submitter.completed_at < TTL.ago + Rollbar.info("TTL: #{last_submitter.id}") if defined?(Rollbar) + + return head :not_found + end + end + + if params[:combined] == 'true' + respond_with_combined(last_submitter) + else + render json: Submitters.build_document_urls(last_submitter) + end + end + + private + + def respond_with_combined(submitter) + url = Submitters.build_combined_url(submitter) + + if url + render json: [url] + else + head :not_found + end + end + + def current_user_submission?(submission) + current_user && current_ability.can?(:read, submission) + end + + def use_2fa?(submission) + return true if submission.submitters.any? do |e| + e.preferences['require_phone_2fa'] || e.preferences['require_email_2fa'] + end + return true if submission.template&.preferences&.dig('require_phone_2fa') + return true if submission.template&.preferences&.dig('require_email_2fa') + + false + end +end diff --git a/app/controllers/submit_form_completed_download_controller.rb b/app/controllers/submit_form_completed_download_controller.rb new file mode 100644 index 00000000..19dfafb1 --- /dev/null +++ b/app/controllers/submit_form_completed_download_controller.rb @@ -0,0 +1,70 @@ +# frozen_string_literal: true + +class SubmitFormCompletedDownloadController < ApplicationController + skip_before_action :authenticate_user! + skip_authorization_check + + TTL = 40.minutes + FILES_TTL = 5.minutes + + def index + @submitter = Submitter.find_signed(params[:sig], purpose: :download_completed) if params[:sig].present? + + signature_valid = + if @submitter&.slug == submitter_slug + true + else + @submitter = nil + end + + @submitter ||= Submitter.find_by!(slug: submitter_slug) + + Submissions::EnsureResultGenerated.call(@submitter) + + last_submitter = @submitter.submission.submitters.where.not(completed_at: nil).order(:completed_at).last + + return head :not_found unless last_submitter + + Submissions::EnsureResultGenerated.call(last_submitter) + + if !signature_valid && !current_user_submitter?(last_submitter) + unless Submitters::AuthorizedForForm.call(@submitter, current_user, request) + Rollbar.info("2FA download error: #{last_submitter.id}") if defined?(Rollbar) + + return head :not_found + end + + if last_submitter.completed_at < TTL.ago + Rollbar.info("TTL: #{last_submitter.id}") if defined?(Rollbar) + + return head :not_found + end + end + + if params[:combined] == 'true' + respond_with_combined(last_submitter) + else + render json: Submitters.build_document_urls(last_submitter) + end + end + + private + + def submitter_slug + params[:submit_form_slug] || params[:submitter_slug] || params[:submitter_id] + end + + def respond_with_combined(submitter) + url = Submitters.build_combined_url(submitter) + + if url + render json: [url] + else + head :not_found + end + end + + def current_user_submitter?(submitter) + current_user && current_ability.can?(:read, submitter) + end +end diff --git a/app/controllers/submit_form_download_controller.rb b/app/controllers/submit_form_download_controller.rb index af9cbeb4..e1c22eba 100644 --- a/app/controllers/submit_form_download_controller.rb +++ b/app/controllers/submit_form_download_controller.rb @@ -9,7 +9,7 @@ class SubmitFormDownloadController < ApplicationController def index @submitter = Submitter.find_by!(slug: params[:submit_form_slug]) - return redirect_to submitter_download_index_path(@submitter.slug) if @submitter.completed_at? + return redirect_to submit_form_documents_path(@submitter.slug) if @submitter.completed_at? return head :unprocessable_content if @submitter.declined_at? || @submitter.submission.archived_at? || diff --git a/app/controllers/submitters_download_controller.rb b/app/controllers/submitters_download_controller.rb index 28a354bc..c4588ca2 100644 --- a/app/controllers/submitters_download_controller.rb +++ b/app/controllers/submitters_download_controller.rb @@ -1,66 +1,11 @@ # frozen_string_literal: true class SubmittersDownloadController < ApplicationController - skip_before_action :authenticate_user! - skip_authorization_check - - TTL = 40.minutes - FILES_TTL = 5.minutes + load_and_authorize_resource :submitter def index - @submitter = Submitter.find_signed(params[:sig], purpose: :download_completed) if params[:sig].present? - - signature_valid = - if @submitter&.slug == params[:submitter_slug] - true - else - @submitter = nil - end - - @submitter ||= Submitter.find_by!(slug: params[:submitter_slug]) - Submissions::EnsureResultGenerated.call(@submitter) - last_submitter = @submitter.submission.submitters.where.not(completed_at: nil).order(:completed_at).last - - return head :not_found unless last_submitter - - Submissions::EnsureResultGenerated.call(last_submitter) - - if !signature_valid && !current_user_submitter?(last_submitter) - unless Submitters::AuthorizedForForm.call(@submitter, current_user, request) - Rollbar.info("2FA download error: #{last_submitter.id}") if defined?(Rollbar) - - return head :not_found - end - - if last_submitter.completed_at < TTL.ago - Rollbar.info("TTL: #{last_submitter.id}") if defined?(Rollbar) - - return head :not_found - end - end - - if params[:combined] == 'true' - respond_with_combined(last_submitter) - else - render json: Submitters.build_document_urls(last_submitter) - end - end - - private - - def respond_with_combined(submitter) - url = Submitters.build_combined_url(submitter) - - if url - render json: [url] - else - head :not_found - end - end - - def current_user_submitter?(submitter) - current_user && current_ability.can?(:read, submitter) + render json: Submitters.build_document_urls(@submitter) end end diff --git a/app/controllers/submitters_send_email_controller.rb b/app/controllers/submitters_send_email_controller.rb index f3eb3187..51c7c1b7 100644 --- a/app/controllers/submitters_send_email_controller.rb +++ b/app/controllers/submitters_send_email_controller.rb @@ -1,7 +1,7 @@ # frozen_string_literal: true class SubmittersSendEmailController < ApplicationController - load_and_authorize_resource :submitter, id_param: :submitter_slug, find_by: :slug + load_and_authorize_resource :submitter def create if Docuseal.multitenant? && SubmissionEvent.exists?(submitter: @submitter, diff --git a/app/views/submissions/show.html.erb b/app/views/submissions/show.html.erb index bf8e6eba..de82482b 100644 --- a/app/views/submissions/show.html.erb +++ b/app/views/submissions/show.html.erb @@ -1,4 +1,4 @@ -<% if params[:controller] == 'submissions_preview' %> +<% if local_assigns[:is_preview] %> <%= render 'submissions/preview_tags' %> <% end %> <% font_scale = 1040.0 / PdfUtils::US_LETTER_W %> @@ -30,10 +30,10 @@ <% end %> <% end %> - <% if is_all_completed || @submission.submitters.to_a.any?(&:completed_at?) %> + <% if @submission.submitters.to_a.any?(&:completed_at?) %> <% if is_all_completed || !is_combined_enabled %>
- + <%= svg_icon('download', class: 'w-6 h-6') %> @@ -52,7 +52,7 @@
  • - + <%= svg_icon('download', class: 'w-6 h-6 flex-shrink-0') %> <%= t('download_combined_pdf') %> @@ -227,7 +227,7 @@ <% end %> <% if signed_in? && submitter && submitter.email && !submitter.completed_at && !@submission.archived_at? && !@submission.template&.archived_at? && can?(:update, @submission) && Accounts.can_send_emails?(current_account) && !@submission.expired? && !submitter.declined_at? %>
    - <%= button_to button_title(title: submitter.sent_at? ? t('re_send_email') : t('send_email'), disabled_with: t('sending')), submitter_send_email_index_path(submitter_slug: submitter.slug), class: 'btn btn-sm btn-primary w-full' %> + <%= button_to button_title(title: submitter.sent_at? ? t('re_send_email') : t('send_email'), disabled_with: t('sending')), submitter_send_email_index_path(submitter), class: 'btn btn-sm btn-primary w-full' %>
    <% end %> <% if signed_in? && submitter && submitter.phone && !submitter.completed_at && !@submission.archived_at? && !@submission.template&.archived_at? && can?(:update, @submission) && !@submission.expired? && !submitter.declined_at? %> diff --git a/app/views/submit_form/completed.html.erb b/app/views/submit_form/completed.html.erb index 004c9027..7b0b7d5b 100644 --- a/app/views/submit_form/completed.html.erb +++ b/app/views/submit_form/completed.html.erb @@ -30,7 +30,7 @@ <% end %> <% end %> <% if @submitter.completed_at > 30.minutes.ago || (current_user && current_user.account.submitters.exists?(id: @submitter.id)) %> - + <%= svg_icon('download', class: 'w-6 h-6') %> <%= t('download_documents') %> diff --git a/app/views/templates/_submission.html.erb b/app/views/templates/_submission.html.erb index bcfcd66c..35e45851 100644 --- a/app/views/templates/_submission.html.erb +++ b/app/views/templates/_submission.html.erb @@ -66,7 +66,7 @@ <% if submitter.completed_at? %>
    - + <%= svg_icon('download', class: 'w-5 h-5 stroke-2') %> <%= t('download') %> @@ -154,7 +154,7 @@ <% if submitter.completed_at? && !is_submission_completed %> - + <%= svg_icon('download', class: 'w-4 h-4 stroke-2') %> <%= t('download') %> @@ -190,7 +190,7 @@ <% latest_submitter = submitters.select(&:completed_at?).max_by(&:completed_at) %>
    - + <%= svg_icon('download', class: 'w-5 h-5 stroke-2') %> <%= t('download') %> diff --git a/config/routes.rb b/config/routes.rb index 53ebe582..f9d3ae38 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -71,6 +71,7 @@ Rails.application.routes.draw do resources :submissions, only: %i[show destroy] do resources :unarchive, only: %i[create], controller: 'submissions_unarchive' resources :events, only: %i[index], controller: 'submission_events' + resources :download, only: %i[index], controller: 'submissions_download' end resources :submitters, only: %i[edit update] resources :console_redirect, only: %i[index] @@ -144,9 +145,11 @@ Rails.application.routes.draw do resources :submit_form, only: %i[show update], path: 's', param: 'slug' do resources :values, only: %i[index], controller: 'submit_form_values' resources :download, only: %i[index], controller: 'submit_form_download' + resources :documents, only: %i[index], controller: 'submit_form_completed_download' resources :decline, only: %i[create], controller: 'submit_form_decline' resources :delegate, only: %i[create], controller: 'submit_form_delegate' resources :invite, only: %i[create], controller: 'submit_form_invite' + resources :debug, only: %i[index], controller: 'submissions_debug' if Rails.env.development? get :completed get :delegated end @@ -155,15 +158,15 @@ Rails.application.routes.draw do resources :submissions_preview, only: %i[show], path: 'e', param: 'slug' do get :completed - resources :download, only: %i[index], controller: 'submissions_download' + resources :download, only: %i[index], controller: 'submissions_preview_download' end resources :send_submission_email, only: %i[create] - resources :submitters, only: %i[], param: 'slug' do - resources :download, only: %i[index], controller: 'submitters_download' + resources :submitters, only: %i[] do + resources :download, only: %i[index], controller: 'submitters_download', constraints: { submitter_id: /\d+/ } + resources :download, only: %i[index], controller: 'submit_form_completed_download' resources :send_email, only: %i[create], controller: 'submitters_send_email' - resources :debug, only: %i[index], controller: 'submissions_debug' if Rails.env.development? end scope '/settings', as: :settings do diff --git a/lib/submitters.rb b/lib/submitters.rb index 1dfb9c1c..ec8330b1 100644 --- a/lib/submitters.rb +++ b/lib/submitters.rb @@ -260,11 +260,11 @@ module Submitters filename_format = AccountConfig.find_or_initialize_by(account_id: submitter.account_id, key: AccountConfig::DOCUMENT_FILENAME_FORMAT_KEY)&.value - Submitters.select_attachments_for_download(submitter).map do |attachment| + select_attachments_for_download(submitter).map do |attachment| ActiveStorage::Blob.proxy_path( attachment.blob, expires_at: ttl.from_now.to_i, - filename: Submitters.build_document_filename(submitter, attachment.blob, filename_format) + filename: build_document_filename(submitter, attachment.blob, filename_format) ) end end @@ -282,7 +282,7 @@ module Submitters ActiveStorage::Blob.proxy_path( attachment.blob, expires_at: ttl.from_now.to_i, - filename: Submitters.build_document_filename(submitter, attachment.blob, filename_format) + filename: build_document_filename(submitter, attachment.blob, filename_format) ) end