diff options
author | Lauri Ojansivu <x@xet7.org> | 2017-09-02 16:30:43 +0300 |
---|---|---|
committer | Lauri Ojansivu <x@xet7.org> | 2017-09-02 16:30:43 +0300 |
commit | a3d4a9489086869a80d095a91ff3860a16861d14 (patch) | |
tree | a2039cfeb8afe13995f07b555a7a953c690720b9 /models/attachments.js | |
parent | d4537af3b4a3072196309ddaa0679dc935f3c46c (diff) | |
parent | eb9b8091754867a537d68f3837efbc9705532413 (diff) | |
download | wekan-a3d4a9489086869a80d095a91ff3860a16861d14.tar.gz wekan-a3d4a9489086869a80d095a91ff3860a16861d14.tar.bz2 wekan-a3d4a9489086869a80d095a91ff3860a16861d14.zip |
Merge branch 'GhassenRjab-feature/manual-attachments-activities' into devel
Import attachments related activities from Wekan and Trello.
Thanks to GhassenRjab ! Closes #1157
Diffstat (limited to 'models/attachments.js')
-rw-r--r-- | models/attachments.js | 62 |
1 files changed, 36 insertions, 26 deletions
diff --git a/models/attachments.js b/models/attachments.js index 1c9878c7..560bec99 100644 --- a/models/attachments.js +++ b/models/attachments.js @@ -3,7 +3,25 @@ Attachments = new FS.Collection('attachments', { // XXX Add a new store for cover thumbnails so we don't load big images in // the general board view - new FS.Store.GridFS('attachments'), + new FS.Store.GridFS('attachments', { + // If the uploaded document is not an image we need to enforce browser + // download instead of execution. This is particularly important for HTML + // files that the browser will just execute if we don't serve them with the + // appropriate `application/octet-stream` MIME header which can lead to user + // data leaks. I imagine other formats (like PDF) can also be attack vectors. + // See https://github.com/wekan/wekan/issues/99 + // XXX Should we use `beforeWrite` option of CollectionFS instead of + // collection-hooks? + // We should use `beforeWrite`. + beforeWrite: (fileObj) => { + if (!fileObj.isImage()) { + return { + type: 'application/octet-stream', + }; + } + return {}; + }, + }), ], }); @@ -36,33 +54,25 @@ if (Meteor.isServer) { // XXX Enforce a schema for the Attachments CollectionFS -Attachments.files.before.insert((userId, doc) => { - const file = new FS.File(doc); - doc.userId = userId; - - // If the uploaded document is not an image we need to enforce browser - // download instead of execution. This is particularly important for HTML - // files that the browser will just execute if we don't serve them with the - // appropriate `application/octet-stream` MIME header which can lead to user - // data leaks. I imagine other formats (like PDF) can also be attack vectors. - // See https://github.com/wekan/wekan/issues/99 - // XXX Should we use `beforeWrite` option of CollectionFS instead of - // collection-hooks? - if (!file.isImage()) { - file.original.type = 'application/octet-stream'; - } -}); - if (Meteor.isServer) { Attachments.files.after.insert((userId, doc) => { - Activities.insert({ - userId, - type: 'card', - activityType: 'addAttachment', - attachmentId: doc._id, - boardId: doc.boardId, - cardId: doc.cardId, - }); + // If the attachment doesn't have a source field + // or its source is different than import + if (!doc.source || doc.source !== 'import') { + // Add activity about adding the attachment + Activities.insert({ + userId, + type: 'card', + activityType: 'addAttachment', + attachmentId: doc._id, + boardId: doc.boardId, + cardId: doc.cardId, + }); + } else { + // Don't add activity about adding the attachment as the activity + // be imported and delete source field + Attachments.update( {_id: doc._id}, {$unset: { source : '' } } ); + } }); Attachments.files.after.remove((userId, doc) => { |