From c81b4d855be67dd89548e70b921a906562f762ea Mon Sep 17 00:00:00 2001
From: Pete Matsyburka <pete.matsy@gmail.com>
Date: Sat, 24 Feb 2024 13:04:14 +0200
Subject: [PATCH] check signed blob data purpose

---
 app/controllers/api/active_storage_blobs_proxy_controller.rb | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/app/controllers/api/active_storage_blobs_proxy_controller.rb b/app/controllers/api/active_storage_blobs_proxy_controller.rb
index 4f2968cc..6995fdb0 100644
--- a/app/controllers/api/active_storage_blobs_proxy_controller.rb
+++ b/app/controllers/api/active_storage_blobs_proxy_controller.rb
@@ -10,9 +10,9 @@ module Api
     before_action :set_cors_headers
 
     def show
-      blob_uuid, = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])
+      blob_uuid, purp = ApplicationRecord.signed_id_verifier.verified(params[:signed_uuid])
 
-      if blob_uuid.blank?
+      if blob_uuid.blank? || purp != 'blob'
         Rollbar.error('Blob not found') if defined?(Rollbar)
 
         return head :not_found