diff options
author | Lauri Ojansivu <x@xet7.org> | 2017-09-02 16:05:14 +0300 |
---|---|---|
committer | Lauri Ojansivu <x@xet7.org> | 2017-09-02 16:05:14 +0300 |
commit | 17cf8ded07e77726d6a6d037b446da50ef734095 (patch) | |
tree | 38a5fd5d88633a2cdaab35339f5c39156d2de3f8 /models/attachments.js | |
parent | d4537af3b4a3072196309ddaa0679dc935f3c46c (diff) | |
parent | 181af6f2508405c0459197445f3b02f8368cb490 (diff) | |
download | wekan-17cf8ded07e77726d6a6d037b446da50ef734095.tar.gz wekan-17cf8ded07e77726d6a6d037b446da50ef734095.tar.bz2 wekan-17cf8ded07e77726d6a6d037b446da50ef734095.zip |
Merge branch 'feature/manual-attachments-activities' of https://github.com/GhassenRjab/wekan into GhassenRjab-feature/manual-attachments-activities
Diffstat (limited to 'models/attachments.js')
-rw-r--r-- | models/attachments.js | 62 |
1 files changed, 36 insertions, 26 deletions
diff --git a/models/attachments.js b/models/attachments.js index 1c9878c7..560bec99 100644 --- a/models/attachments.js +++ b/models/attachments.js @@ -3,7 +3,25 @@ Attachments = new FS.Collection('attachments', { // XXX Add a new store for cover thumbnails so we don't load big images in // the general board view - new FS.Store.GridFS('attachments'), + new FS.Store.GridFS('attachments', { + // If the uploaded document is not an image we need to enforce browser + // download instead of execution. This is particularly important for HTML + // files that the browser will just execute if we don't serve them with the + // appropriate `application/octet-stream` MIME header which can lead to user + // data leaks. I imagine other formats (like PDF) can also be attack vectors. + // See https://github.com/wekan/wekan/issues/99 + // XXX Should we use `beforeWrite` option of CollectionFS instead of + // collection-hooks? + // We should use `beforeWrite`. + beforeWrite: (fileObj) => { + if (!fileObj.isImage()) { + return { + type: 'application/octet-stream', + }; + } + return {}; + }, + }), ], }); @@ -36,33 +54,25 @@ if (Meteor.isServer) { // XXX Enforce a schema for the Attachments CollectionFS -Attachments.files.before.insert((userId, doc) => { - const file = new FS.File(doc); - doc.userId = userId; - - // If the uploaded document is not an image we need to enforce browser - // download instead of execution. This is particularly important for HTML - // files that the browser will just execute if we don't serve them with the - // appropriate `application/octet-stream` MIME header which can lead to user - // data leaks. I imagine other formats (like PDF) can also be attack vectors. - // See https://github.com/wekan/wekan/issues/99 - // XXX Should we use `beforeWrite` option of CollectionFS instead of - // collection-hooks? - if (!file.isImage()) { - file.original.type = 'application/octet-stream'; - } -}); - if (Meteor.isServer) { Attachments.files.after.insert((userId, doc) => { - Activities.insert({ - userId, - type: 'card', - activityType: 'addAttachment', - attachmentId: doc._id, - boardId: doc.boardId, - cardId: doc.cardId, - }); + // If the attachment doesn't have a source field + // or its source is different than import + if (!doc.source || doc.source !== 'import') { + // Add activity about adding the attachment + Activities.insert({ + userId, + type: 'card', + activityType: 'addAttachment', + attachmentId: doc._id, + boardId: doc.boardId, + cardId: doc.cardId, + }); + } else { + // Don't add activity about adding the attachment as the activity + // be imported and delete source field + Attachments.update( {_id: doc._id}, {$unset: { source : '' } } ); + } }); Attachments.files.after.remove((userId, doc) => { |