[PLT-6288] add way to view in the browser and not download in apiV4 (#6062)

* add way to view in the browser and not download

* add DetectContentType to get the contenttype for the file

* update per review

1 files changed, 49 insertions, 10 deletions

diff --git a/api4/file.go b/api4/file.go
index de1ce454d..6bd751a67 100644
--- a/api4/file.go
+++ b/api4/file.go
@@ -22,10 +22,10 @@ func InitFile() {
 	l4g.Debug(utils.T("api.file.init.debug"))
 
 	BaseRoutes.Files.Handle("", ApiSessionRequired(uploadFile)).Methods("POST")
-	BaseRoutes.File.Handle("", ApiSessionRequired(getFile)).Methods("GET")
-	BaseRoutes.File.Handle("/thumbnail", ApiSessionRequired(getFileThumbnail)).Methods("GET")
+	BaseRoutes.File.Handle("", ApiSessionRequiredTrustRequester(getFile)).Methods("GET")
+	BaseRoutes.File.Handle("/thumbnail", ApiSessionRequiredTrustRequester(getFileThumbnail)).Methods("GET")
 	BaseRoutes.File.Handle("/link", ApiSessionRequired(getFileLink)).Methods("GET")
-	BaseRoutes.File.Handle("/preview", ApiSessionRequired(getFilePreview)).Methods("GET")
+	BaseRoutes.File.Handle("/preview", ApiSessionRequiredTrustRequester(getFilePreview)).Methods("GET")
 	BaseRoutes.File.Handle("/info", ApiSessionRequired(getFileInfo)).Methods("GET")
 
 	BaseRoutes.PublicFile.Handle("", ApiHandler(getPublicFile)).Methods("GET")
@@ -78,6 +78,11 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download"))
+	if failConv != nil {
+		toDownload = false
+	}
+
 	info, err := app.GetFileInfo(c.Params.FileId)
 	if err != nil {
 		c.Err = err
@@ -89,10 +94,30 @@ func getFile(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	if data, err := app.ReadFile(info.Path); err != nil {
+	data, err := app.ReadFile(info.Path)
+	if err != nil {
 		c.Err = err
 		c.Err.StatusCode = http.StatusNotFound
-	} else if err := writeFileResponse(info.Name, info.MimeType, data, w, r); err != nil {
+		return
+	}
+
+	contentTypeToCheck := []string{"image/jpeg", "image/png", "image/bmp", "image/gif",
+		"video/avi", "video/mpeg", "audio/mpeg3", "audio/wav"}
+
+	contentType := http.DetectContentType(data)
+	foundContentType := false
+	for _, contentTypeFromList := range contentTypeToCheck {
+		if contentType == contentTypeFromList && toDownload == false {
+			foundContentType = true
+			break
+		}
+	}
+	if !foundContentType {
+		toDownload = true
+	}
+
+	err = writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r)
+	if err != nil {
 		c.Err = err
 		return
 	}
@@ -104,6 +129,11 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download"))
+	if failConv != nil {
+		toDownload = false
+	}
+
 	info, err := app.GetFileInfo(c.Params.FileId)
 	if err != nil {
 		c.Err = err
@@ -124,7 +154,7 @@ func getFileThumbnail(c *Context, w http.ResponseWriter, r *http.Request) {
 	if data, err := app.ReadFile(info.ThumbnailPath); err != nil {
 		c.Err = err
 		c.Err.StatusCode = http.StatusNotFound
-	} else if err := writeFileResponse(info.Name, info.MimeType, data, w, r); err != nil {
+	} else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil {
 		c.Err = err
 		return
 	}
@@ -171,6 +201,11 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	toDownload, failConv := strconv.ParseBool(r.URL.Query().Get("download"))
+	if failConv != nil {
+		toDownload = false
+	}
+
 	info, err := app.GetFileInfo(c.Params.FileId)
 	if err != nil {
 		c.Err = err
@@ -191,7 +226,7 @@ func getFilePreview(c *Context, w http.ResponseWriter, r *http.Request) {
 	if data, err := app.ReadFile(info.PreviewPath); err != nil {
 		c.Err = err
 		c.Err.StatusCode = http.StatusNotFound
-	} else if err := writeFileResponse(info.Name, info.MimeType, data, w, r); err != nil {
+	} else if err := writeFileResponse(info.Name, info.MimeType, data, toDownload, w, r); err != nil {
 		c.Err = err
 		return
 	}
@@ -253,13 +288,13 @@ func getPublicFile(c *Context, w http.ResponseWriter, r *http.Request) {
 	if data, err := app.ReadFile(info.Path); err != nil {
 		c.Err = err
 		c.Err.StatusCode = http.StatusNotFound
-	} else if err := writeFileResponse(info.Name, info.MimeType, data, w, r); err != nil {
+	} else if err := writeFileResponse(info.Name, info.MimeType, data, true, w, r); err != nil {
 		c.Err = err
 		return
 	}
 }
 
-func writeFileResponse(filename string, contentType string, bytes []byte, w http.ResponseWriter, r *http.Request) *model.AppError {
+func writeFileResponse(filename string, contentType string, bytes []byte, toDownload bool, w http.ResponseWriter, r *http.Request) *model.AppError {
 	w.Header().Set("Cache-Control", "max-age=2592000, public")
 	w.Header().Set("Content-Length", strconv.Itoa(len(bytes)))
 
@@ -269,7 +304,11 @@ func writeFileResponse(filename string, contentType string, bytes []byte, w http
 		w.Header().Del("Content-Type") // Content-Type will be set automatically by the http writer
 	}
 
-	w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename))
+	if toDownload {
+		w.Header().Set("Content-Disposition", "attachment;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename))
+	} else {
+		w.Header().Set("Content-Disposition", "inline;filename=\""+filename+"\"; filename*=UTF-8''"+url.QueryEscape(filename))
+	}
 
 	// prevent file links from being embedded in iframes
 	w.Header().Set("X-Frame-Options", "DENY")