gitlab-org--gitlab-foss/app/controllers/projects/uploads_controller.rb

class Projects::UploadsController < Projects::ApplicationController
  layout 'project'

  skip_before_filter :project, :repository, :authenticate_user!, only: [:show]

  before_filter :authorize_uploads, only: [:show]

  def create
    link_to_file = ::Projects::UploadService.new(project, params[:file]).
      execute

    respond_to do |format|
      if link_to_file
        format.json do
          render json: { link: link_to_file }
        end
      else
        format.json do
          render json: 'Invalid file.', status: :unprocessable_entity
        end
      end
    end
  end

  def show
    uploader = get_file
    
    return not_found! if uploader.nil? || !uploader.file.exists?

    disposition = uploader.image? ? 'inline' : 'attachment'
    send_file uploader.file.path, disposition: disposition
  end

  def get_file
    namespace = params[:namespace_id]
    id = params[:project_id]

    file_project = Project.find_with_namespace("#{namespace}/#{id}")

    return nil if file_project.nil?

    uploader = FileUploader.new(file_project, params[:secret])
    uploader.retrieve_from_store!(params[:filename])

    uploader
  end

  def authorize_uploads
    uploader = get_file
    unless uploader && uploader.image?
      project
    end
  end
end
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00			`class Projects::UploadsController < Projects::ApplicationController`
implement Project::UploadsController 2015-02-14 18:52:45 +00:00			`layout 'project'`
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00
remove access control for images This commit removes the access control for uploaded images. This is needed to display the images in emails again. 2015-04-14 15:02:17 +00:00			`skip_before_filter :project, :repository, :authenticate_user!, only: [:show]`

			`before_filter :authorize_uploads, only: [:show]`
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00
Refactor. 2015-02-16 18:58:40 +00:00			`def create`
Fix URL to uploaded file. 2015-02-20 14:56:12 +00:00			`link_to_file = ::Projects::UploadService.new(project, params[:file]).`
Refactor. 2015-02-16 18:58:40 +00:00			`execute`

			`respond_to do \|format\|`
			`if link_to_file`
			`format.json do`
			`render json: { link: link_to_file }`
			`end`
			`else`
			`format.json do`
			`render json: 'Invalid file.', status: :unprocessable_entity`
			`end`
			`end`
			`end`
			`end`

Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00			`def show`
remove access control for images This commit removes the access control for uploaded images. This is needed to display the images in emails again. 2015-04-14 15:02:17 +00:00			`uploader = get_file`

			`return not_found! if uploader.nil? \|\| !uploader.file.exists?`

			`disposition = uploader.image? ? 'inline' : 'attachment'`
			`send_file uploader.file.path, disposition: disposition`
			`end`

			`def get_file`
			`namespace = params[:namespace_id]`
			`id = params[:project_id]`
Refactor. 2015-02-16 18:58:40 +00:00
remove access control for images This commit removes the access control for uploaded images. This is needed to display the images in emails again. 2015-04-14 15:02:17 +00:00			`file_project = Project.find_with_namespace("#{namespace}/#{id}")`
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00
remove access control for images This commit removes the access control for uploaded images. This is needed to display the images in emails again. 2015-04-14 15:02:17 +00:00			`return nil if file_project.nil?`

			`uploader = FileUploader.new(file_project, params[:secret])`
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00			`uploader.retrieve_from_store!(params[:filename])`

remove access control for images This commit removes the access control for uploaded images. This is needed to display the images in emails again. 2015-04-14 15:02:17 +00:00			`uploader`
			`end`
Merge branch 'extend_markdown_upload' into generic-uploads # Conflicts: # app/controllers/files_controller.rb # app/controllers/projects/uploads_controller.rb # app/uploaders/attachment_uploader.rb 2015-02-20 14:37:37 +00:00
remove access control for images This commit removes the access control for uploaded images. This is needed to display the images in emails again. 2015-04-14 15:02:17 +00:00			`def authorize_uploads`
			`uploader = get_file`
			`unless uploader && uploader.image?`
			`project`
			`end`
Use controllers to serve uploads, with XSS prevention and access control. 2015-02-20 12:13:48 +00:00			`end`
Satisfy Rubocop. 2015-02-20 13:39:35 +00:00			`end`