diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb index 42bc12daa..cb802f057 100644 --- a/app/controllers/uploads_controller.rb +++ b/app/controllers/uploads_controller.rb @@ -1,9 +1,9 @@ class UploadsController < ApplicationController - before_action :member_only, except: [:index, :show] respond_to :html, :xml, :json, :js skip_before_action :verify_authenticity_token, only: [:preprocess] def new + authorize Upload @source = Sources::Strategies.find(params[:url], params[:ref]) if params[:url].present? @upload, @remote_size = UploadService::ControllerHelper.prepare( url: params[:url], ref: params[:ref] @@ -12,25 +12,27 @@ class UploadsController < ApplicationController end def batch + authorize Upload @url = params.dig(:batch, :url) || params[:url] @source = Sources::Strategies.find(@url, params[:ref]) if @url.present? respond_with(@source) end def image_proxy + authorize Upload resp = ImageProxy.get_image(params[:url]) send_data resp.body, :type => resp.content_type, :disposition => "inline" end def index - @uploads = Upload.paginated_search(params, count_pages: true) + @uploads = authorize Upload.paginated_search(params, count_pages: true) @uploads = @uploads.includes(:uploader, post: :uploader) if request.format.html? respond_with(@uploads) end def show - @upload = Upload.find(params[:id]) + @upload = authorize Upload.find(params[:id]) respond_with(@upload) do |format| format.html do if @upload.is_completed? && @upload.post_id @@ -41,14 +43,15 @@ class UploadsController < ApplicationController end def preprocess + authorize Upload @upload, @remote_size = UploadService::ControllerHelper.prepare( - url: upload_params[:source], file: upload_params[:file], ref: upload_params[:referer_url] + url: params.dig(:upload, :source), file: params.dig(:upload, :file), ref: params.dig(:upload, :referer_url), ) render body: nil end def create - @service = UploadService.new(upload_params) + @service = authorize UploadService.new(permitted_attributes(Upload)), policy_class: UploadPolicy @upload = @service.start! if @service.warnings.any? @@ -57,17 +60,4 @@ class UploadsController < ApplicationController respond_with(@upload) end - - private - - def upload_params - permitted_params = %i[ - file source tag_string rating status parent_id artist_commentary_title - artist_commentary_desc include_artist_commentary referer_url - md5_confirmation as_pending translated_commentary_title - translated_commentary_desc - ] - - params.require(:upload).permit(permitted_params) - end end diff --git a/app/policies/upload_policy.rb b/app/policies/upload_policy.rb new file mode 100644 index 000000000..c9dd0d774 --- /dev/null +++ b/app/policies/upload_policy.rb @@ -0,0 +1,19 @@ +class UploadPolicy < ApplicationPolicy + def batch? + unbanned? + end + + def image_proxy? + unbanned? + end + + def preprocess? + unbanned? + end + + def permitted_attributes + %i[file source tag_string rating status parent_id artist_commentary_title + artist_commentary_desc include_artist_commentary referer_url + md5_confirmation as_pending translated_commentary_title translated_commentary_desc] + end +end diff --git a/test/functional/uploads_controller_test.rb b/test/functional/uploads_controller_test.rb index 868c092d6..430716a28 100644 --- a/test/functional/uploads_controller_test.rb +++ b/test/functional/uploads_controller_test.rb @@ -243,6 +243,7 @@ class UploadsControllerTest < ActionDispatch::IntegrationTest assert_difference("Upload.count", 1) do file = Rack::Test::UploadedFile.new("#{Rails.root}/test/files/test.jpg", "image/jpeg") post_auth uploads_path, @user, params: {:upload => {:file => file, :tag_string => "aaa", :rating => "q", :source => "aaa"}} + assert_redirected_to Upload.last end end end