Merge branch 'extend_markdown_upload' into generic-uploads

# Conflicts: # app/controllers/files_controller.rb # app/controllers/projects/uploads_controller.rb # app/uploaders/attachment_uploader.rb

Merge branch 'extend_markdown_upload' into generic-uploads
218283b3 · Douwe Maan · 4ef6ffaa · 65b125a5 · 218283b3 · 218283b3
Commit 218283b3 authored 10 years ago by Douwe Maan
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -4,6 +4,8 @@ v 7.9.0 (unreleased)
 v 7.8.0 (unreleased)
  - Fix access control and protection against XSS for note attachments and other uploads.
+  - Fix broken access control for note attachments (Hannes Rosenögger)
+  - Generalize image upload in drag and drop in markdown to all files (Hannes Rosenögger)
  - Replace highlight.js with rouge-fork rugments (Stefan Tatschner)
  - Make project search case insensitive (Hannes Rosenögger)
  - Include issue/mr participants in list of recipients for reassign/close/reopen emails

--- a/Gemfile
+++ b/Gemfile
@@ -205,6 +205,7 @@ group :development do
  gem "letter_opener"
  gem 'quiet_assets', '~> 1.0.1'
  gem 'rack-mini-profiler', require: false
+  gem "byebug"
  # Better errors handler
  gem 'better_errors'

--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -65,6 +65,9 @@ GEM
      sass (>= 3.2.19)
    browser (0.7.2)
    builder (3.2.2)
+    byebug (3.2.0)
+      columnize (~> 0.8)
+      debugger-linecache (~> 1.2)
    cal-heatmap-rails (0.0.1)
    capybara (2.2.1)
      mime-types (>= 1.16)
@@ -92,6 +95,7 @@ GEM
    coffee-script-source (1.6.3)
    colored (1.2)
    colorize (0.5.8)
+    columnize (0.9.0)
    connection_pool (2.1.0)
    coveralls (0.7.0)
      multi_json (~> 1.3)
@@ -107,6 +111,7 @@ GEM
    daemons (1.1.9)
    database_cleaner (1.3.0)
    debug_inspector (0.0.2)
+    debugger-linecache (1.2.0)
    default_value_for (3.0.0)
      activerecord (>= 3.2.0, < 5.0)
    descendants_tracker (0.0.3)
@@ -650,6 +655,7 @@ DEPENDENCIES
  binding_of_caller
  bootstrap-sass (~> 3.0)
  browser
+  byebug
  cal-heatmap-rails (~> 0.0.1)
  capybara (~> 2.2.1)
  carrierwave

--- a/app/assets/javascripts/dropzone_input.js.coffee
+++ b/app/assets/javascripts/dropzone_input.js.coffee
@@ -6,10 +6,10 @@ class @DropzoneInput
    divHover = "<div class=\"div-dropzone-hover\"></div>"
    divSpinner = "<div class=\"div-dropzone-spinner\"></div>"
    divAlert = "<div class=\"" + alertClass + "\"></div>"
-    iconPicture = "<i class=\"fa fa-picture-o div-dropzone-icon\"></i>"
+    iconPaperclip = "<i class=\"fa fa-paperclip div-dropzone-icon\"></i>"
    iconSpinner = "<i class=\"fa fa-spinner fa-spin div-dropzone-icon\"></i>"
    btnAlert = "<button type=\"button\"" + alertAttr + ">&times;</button>"
-    project_image_path_upload = window.project_image_path_upload or null
+    project_uploads_path = window.project_uploads_path or null
    form_textarea = $(form).find("textarea.markdown-area")
    form_textarea.wrap "<div class=\"div-dropzone\"></div>"
@@ -19,7 +19,7 @@ class @DropzoneInput
    form_dropzone = $(form).find('.div-dropzone')
    form_dropzone.parent().addClass "div-dropzone-wrapper"
    form_dropzone.append divHover
-    $(".div-dropzone-hover").append iconPicture
+    $(".div-dropzone-hover").append iconPaperclip
    form_dropzone.append divSpinner
    $(".div-dropzone-spinner").append iconSpinner
    $(".div-dropzone-spinner").css
@@ -72,13 +72,12 @@ class @DropzoneInput
      form.find(".md-preview-holder").hide()
    dropzone = form_dropzone.dropzone(
-      url: project_image_path_upload
+      url: project_uploads_path
      dictDefaultMessage: ""
      clickable: true
-      paramName: "markdown_img"
+      paramName: "file"
      maxFilesize: 10
      uploadMultiple: false
-      acceptedFiles: "image/jpg,image/jpeg,image/gif,image/png"
      headers:
        "X-CSRF-Token": $("meta[name=\"csrf-token\"]").attr("content")
@@ -132,8 +131,10 @@ class @DropzoneInput
    child = $(dropzone[0]).children("textarea")
-    formatLink = (str) ->
+    formatLink = (link) ->
-      "![" + str.alt + "](" + str.url + ")"
+      text = "[#{link.alt}](#{link.url})"
+      text = "!#{text}" if link.is_image
+      text
    handlePaste = (event) ->
      pasteEvent = event.originalEvent
@@ -177,9 +178,9 @@ class @DropzoneInput
    uploadFile = (item, filename) ->
      formData = new FormData()
-      formData.append "markdown_img", item, filename
+      formData.append "file", item, filename
      $.ajax
-        url: project_image_path_upload
+        url: project_uploads_path
        type: "POST"
        data: formData
        dataType: "json"
@@ -233,5 +234,7 @@ class @DropzoneInput
      $(@).closest('.gfm-form').find('.div-dropzone').click()
      return
-  formatLink: (str) ->
+  formatLink: (link) ->
-    "![" + str.alt + "](" + str.url + ")"
+    text = "[#{link.alt}](#{link.url})"
+    text = "!#{text}" if link.is_image
+    text
\ No newline at end of file
--- a/app/assets/javascripts/notes.js.coffee
+++ b/app/assets/javascripts/notes.js.coffee
@@ -39,9 +39,6 @@ class @Notes
    # reset main target form after submit
    $(document).on "ajax:complete", ".js-main-target-form", @resetMainTargetForm
-    # attachment button
-    $(document).on "click", ".js-choose-note-attachment-button", @chooseNoteAttachment
    # update the file name when an attachment is selected
    $(document).on "change", ".js-note-attachment-input", @updateFormAttachment
@@ -73,7 +70,6 @@ class @Notes
    $(document).off "click", ".js-note-delete"
    $(document).off "click", ".js-note-attachment-delete"
    $(document).off "ajax:complete", ".js-main-target-form"
-    $(document).off "click", ".js-choose-note-attachment-button"
    $(document).off "click", ".js-discussion-reply-button"
    $(document).off "click", ".js-add-diff-note-button"
    $(document).off "visibilitychange"
@@ -173,15 +169,6 @@ class @Notes
    form.find(".js-note-text").data("autosave").reset()
-  ###
-  Called when clicking the "Choose File" button.
-  Opens the file selection dialog.
-  ###
-  chooseNoteAttachment: ->
-    form = $(this).closest("form")
-    form.find(".js-note-attachment-input").click()
  ###
  Shows the main form and does some setup on it.

--- a/app/assets/stylesheets/sections/notes.scss
+++ b/app/assets/stylesheets/sections/notes.scss
@@ -66,6 +66,22 @@ ul.notes {
        overflow: auto;
        word-wrap: break-word;
        @include md-typography;
+        a[href*="/uploads/"] {
+          &:before {
+            margin-right: 4px;
+            font: normal normal normal 14px/1 FontAwesome;
+            font-size: inherit;
+            text-rendering: auto;
+            -webkit-font-smoothing: antialiased;
+            content: "\f0c6";
+          }
+          &:hover:before {
+            text-decoration: none;
+          }
+        }
      }
    }
    .note-header {

--- a/app/controllers/files_controller.rb
+++ b/app/controllers/files_controller.rb
-class FilesController < ApplicationController
-  def download
-    note = Note.find(params[:id])
-    uploader = note.attachment
-    if uploader.file_storage?
-      if can?(current_user, :read_project, note.project)
-        disposition = uploader.image? ? 'inline' : 'attachment'
-        send_file uploader.file.path, disposition: disposition
-      else
-        not_found!
-      end
-    else
-      redirect_to uploader.url
-    end
-  end
-end
--- a/app/controllers/projects/uploads_controller.rb
+++ b/app/controllers/projects/uploads_controller.rb
 class Projects::UploadsController < Projects::ApplicationController
-  layout "project"
+  layout 'project'
  before_filter :project
+  def create
+    link_to_file = ::Projects::UploadService.new(repository, params[:file]).
+      execute
+    respond_to do |format|
+      if link_to_file
+        format.json do
+          render json: { link: link_to_file }
+        end
+      else
+        format.json do
+          render json: 'Invalid file.', status: :unprocessable_entity
+        end
+      end
+    end
+  end
  def show
-    path = File.join(project.path_with_namespace, params[:secret])
+    uploader = FileUploader.new(project, params[:secret])
-    uploader = FileUploader.new('uploads', path)
+    return redirect_to uploader.url unless uploader.file_storage?
    uploader.retrieve_from_store!(params[:filename])
-    if uploader.file.exists?
+    return not_found! unless uploader.file.exists?
-      # Right now, these are always images, so we can safely render them inline.
-      send_file uploader.file.path, disposition: 'inline'
+    disposition = uploader.image? ? 'inline' : 'attachment'
-    else
+    send_file uploader.file.path, disposition: disposition
-      not_found!
-    end
  end
 end
--- a/app/controllers/projects_controller.rb
+++ b/app/controllers/projects_controller.rb
@@ -137,18 +137,6 @@ class ProjectsController < ApplicationController
    end
  end
-  def upload_image
-    link_to_image = ::Projects::ImageService.new(repository, params, root_url).execute
-    respond_to do |format|
-      if link_to_image
-        format.json { render json: { link: link_to_image } }
-      else
-        format.json { render json: 'Invalid file.', status: :unprocessable_entity }
-      end
-    end
-  end
  def toggle_star
    current_user.toggle_star(@project)
    @project.reload
@@ -161,15 +149,6 @@ class ProjectsController < ApplicationController
  private
-  def upload_path
-    base_dir = FileUploader.generate_dir
-    File.join(repository.path_with_namespace, base_dir)
-  end
-  def accepted_images
-    %w(png jpg jpeg gif)
-  end
  def set_title
    @title = 'New Project'
  end

--- a/app/controllers/uploads_controller.rb
+++ b/app/controllers/uploads_controller.rb
@@ -3,15 +3,13 @@ class UploadsController < ApplicationController
    model = params[:model].camelize.constantize.find(params[:id])
    uploader = model.send(params[:mounted_as])
-    if uploader.file_storage?
+    return not_found! if model.respond_to?(:project) && !can?(current_user, :read_project, model.project)
-      if !model.respond_to?(:project) || can?(current_user, :read_project, model.project)
-        disposition = uploader.image? ? 'inline' : 'attachment'
+    return redirect_to uploader.url unless uploader.file_storage?
-        send_file uploader.file.path, disposition: disposition
-      else
+    return not_found! unless uploader.file.exists?
-        not_found!
-      end
+    disposition = uploader.image? ? 'inline' : 'attachment'
-    else
+    send_file uploader.file.path, disposition: disposition
-      redirect_to uploader.url
-    end
  end
 end
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -177,7 +177,7 @@ class User < ActiveRecord::Base
    end
  end
-  mount_uploader :avatar, AvatarUplaoder
+  mount_uploader :avatar, AvatarUploader
  # Scopes
  scope :admins, -> { where(admin:  true) }

--- a/app/services/projects/image_service.rb
+++ b/app/services/projects/image_service.rb
-module Projects
-  class ImageService < BaseService
-    include Rails.application.routes.url_helpers
-    def initialize(repository, params, root_url)
-      @repository, @params, @root_url = repository, params.dup, root_url
-    end
-    def execute
-      uploader = FileUploader.new('uploads', upload_path, accepted_images)
-      image = @params['markdown_img']
-      if image && correct_mime_type?(image)
-        alt = image.original_filename
-        uploader.store!(image)
-        link = {
-                 'alt' => File.basename(alt, '.*'),
-                 'url' => File.join(@root_url, uploader.url)
-               }
-      else
-        link = nil
-      end
-    end
-    protected
-    def upload_path
-      base_dir = FileUploader.generate_dir
-      File.join(@repository.path_with_namespace, base_dir)
-    end
-    def accepted_images
-      %w(png jpg jpeg gif)
-    end
-    def correct_mime_type?(image)
-      accepted_images.map{ |format| image.content_type.include? format }.any?
-    end
-  end
-end
--- a/app/services/projects/upload_service.rb
+++ b/app/services/projects/upload_service.rb
+module Projects
+  class UploadService < BaseService
+    include Rails.application.routes.url_helpers
+    def initialize(project, file)
+      @project, @file = project, file
+    end
+    def execute
+      return nil unless @file
+      uploader = FileUploader.new(@project)
+      uploader.store!(@file)
+      filename = uploader.image? ? uploader.file.basename : uploader.file.filename
+      {
+        'alt'       => filename,
+        'url'       => project_upload_url(@project, secret: uploader.secret, filename: uploader.file.filename),
+        'is_image'  => uploader.image?
+      }
+    end
+  end
+end
--- a/app/uploaders/file_uploader.rb
+++ b/app/uploaders/file_uploader.rb
@@ -2,40 +2,43 @@
 class FileUploader < CarrierWave::Uploader::Base
  storage :file
-  def initialize(base_dir, path = '', allowed_extensions = nil)
+  attr_accessor :project, :secret
-    @base_dir = base_dir
-    @path = path
+  def initialize(project, secret = self.class.generate_secret)
-    @allowed_extensions = allowed_extensions
+    @project = project
+    @secret = secret
  end
  def base_dir
-    @base_dir
+    "uploads"
  end
  def store_dir
-    File.join(@base_dir, @path)
+    File.join(base_dir, @project.path_with_namespace, @secret)
  end
  def cache_dir
-    File.join(@base_dir, 'tmp', @path)
+    File.join(base_dir, 'tmp', @project.path_with_namespace, @secret)
-  end
-  def extension_white_list
-    @allowed_extensions
  end
-  def store!(file)
+  def self.generate_secret
-    @filename = self.class.generate_filename(file)
+    SecureRandom.hex
-    super
  end
-  def self.generate_filename(file)
+  def file_storage?
-    original_filename = File.basename(file.original_filename, '.*')
+    self.class.storage == CarrierWave::Storage::File
-    extension = File.extname(file.original_filename)
-    new_filename = Digest::MD5.hexdigest(original_filename) + extension
  end
-  def self.generate_dir
+  def image?
-    SecureRandom.hex(5)
+    img_ext = %w(png jpg jpeg gif bmp tiff)
+    if file.respond_to?(:extension)
+      img_ext.include?(file.extension.downcase)
+    else
+      # Not all CarrierWave storages respond to :extension
+      ext = file.path.split('.').last.downcase
+      img_ext.include?(ext)
+    end
+  rescue
+    false
  end
 end
--- a/app/views/projects/_issuable_form.html.haml
+++ b/app/views/projects/_issuable_form.html.haml
@@ -23,7 +23,7 @@
          Parsed with
          #{link_to 'GitLab Flavored Markdown', help_page_path('markdown', 'markdown'), target: '_blank'}.
        .pull-right
-          Attach images (JPG, PNG, GIF) by dragging &amp; dropping
+          Attach files by dragging &amp; dropping
          or #{link_to 'selecting them', '#', class: 'markdown-selector' }.
      .clearfix

--- a/app/views/projects/issues/_form.html.haml
+++ b/app/views/projects/issues/_form.html.haml
@@ -11,4 +11,4 @@
    e.preventDefault();
  });
-  window.project_image_path_upload = "#{upload_image_project_path @project}";
+  window.project_uploads_path = "#{project_uploads_path @project}";
--- a/app/views/projects/merge_requests/_form.html.haml
+++ b/app/views/projects/merge_requests/_form.html.haml
@@ -9,4 +9,4 @@
    e.preventDefault();
  });
-  window.project_image_path_upload = "#{upload_image_project_path @project}";
+  window.project_uploads_path = "#{project_uploads_path @project}";
--- a/app/views/projects/merge_requests/_new_submit.html.haml
+++ b/app/views/projects/merge_requests/_new_submit.html.haml
@@ -27,7 +27,7 @@
              Parsed with
              #{link_to 'Gitlab Flavored Markdown', help_page_path('markdown', 'markdown'), target: '_blank'}.
            .pull-right
-              Attach images (JPG, PNG, GIF) by dragging &amp; dropping
+              Attach files by dragging &amp; dropping
              or #{link_to 'selecting them', '#', class: 'markdown-selector'}.
          .clearfix
@@ -113,10 +113,11 @@
    e.preventDefault();
  });
-  window.project_image_path_upload = "#{upload_image_project_path @project}";
+  window.project_uploads_path = "#{project_uploads_path @project}";
 :javascript
  var merge_request
  merge_request = new MergeRequest({
    action: 'commits'
  });
--- a/app/views/projects/milestones/_form.html.haml
+++ b/app/views/projects/milestones/_form.html.haml
@@ -25,7 +25,7 @@
            = render 'projects/zen', f: f, attr: :description, classes: 'description form-control'
            .hint
              .pull-left Milestones are parsed with #{link_to "GitLab Flavored Markdown", help_page_path("markdown", "markdown"), target: '_blank'}.
-              .pull-left Attach images (JPG, PNG, GIF) by dragging & dropping or #{link_to "selecting them", '#', class: 'markdown-selector' }.
+              .pull-left Attach files by dragging & dropping or #{link_to "selecting them", '#', class: 'markdown-selector' }.
          .clearfix
          .error-alert
    .col-md-6
@@ -51,4 +51,4 @@
    onSelect: function(dateText, inst) { $("#milestone_due_date").val(dateText) }
  }).datepicker("setDate", $.datepicker.parseDate('yy-mm-dd', $('#milestone_due_date').val()));
-  window.project_image_path_upload = "#{upload_image_project_path @project}";
+  window.project_uploads_path = "#{project_uploads_path @project}";
--- a/app/views/projects/notes/_edit_form.html.haml
+++ b/app/views/projects/notes/_edit_form.html.haml
@@ -6,17 +6,9 @@
      .comment-hints.clearfix
        .pull-left Comments are parsed with #{link_to "GitLab Flavored Markdown", help_page_path("markdown", "markdown"),{ target: '_blank', tabindex: -1 }}
-        .pull-right Attach images (JPG, PNG, GIF) by dragging &amp; dropping or #{link_to "selecting them", '#', class: 'markdown-selector', tabindex: -1 }.
+        .pull-right Attach files by dragging &amp; dropping or #{link_to "selecting them", '#', class: 'markdown-selector', tabindex: -1 }.
    .note-form-actions
      .buttons
        = f.submit 'Save Comment', class: "btn btn-primary btn-save btn-grouped js-comment-button"
        = link_to  'Cancel', "#", class: "btn btn-cancel note-edit-cancel"
\ No newline at end of file
-      .note-form-option.hidden-xs
-        %a.choose-btn.btn.js-choose-note-attachment-button
-          %i.fa.fa-paperclip
-          %span Choose File ...
-        &nbsp;
-        %span.file_name.js-attachment-filename
-        = f.file_field :attachment, class: "js-note-attachment-input hidden"