diff options
Diffstat (limited to 'collections/attachments.js')
| -rw-r--r-- | collections/attachments.js | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/collections/attachments.js b/collections/attachments.js new file mode 100644 index 00000000..c8fe6b18 --- /dev/null +++ b/collections/attachments.js @@ -0,0 +1,79 @@ +Attachments = new FS.Collection('attachments', { + stores: [ + + // XXX Add a new store for cover thumbnails so we don't load big images in + // the general board view + new FS.Store.GridFS('attachments') + ] +}); + +if (Meteor.isServer) { + Attachments.allow({ + insert: function(userId, doc) { + return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); + }, + update: function(userId, doc) { + return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); + }, + remove: function(userId, doc) { + return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); + }, + // We authorize the attachment download either: + // - if the board is public, everyone (even unconnected) can download it + // - if the board is private, only board members can download it + // + // XXX We have a bug with the `userId` verification: + // + // https://github.com/CollectionFS/Meteor-CollectionFS/issues/449 + // + download: function(userId, doc) { + var query = { + $or: [ + { 'members.userId': userId }, + { permission: 'public' } + ] + }; + return !! Boards.findOne(doc.boardId, query); + }, + + fetch: ['boardId'] + }); +} + +// XXX Enforce a schema for the Attachments CollectionFS + +Attachments.files.before.insert(function(userId, doc) { + var file = new FS.File(doc); + doc.userId = userId; + + // If the uploaded document is not an image we need to enforce browser + // download instead of execution. This is particularly important for HTML + // files that the browser will just execute if we don't serve them with the + // appropriate `application/octet-stream` MIME header which can lead to user + // data leaks. I imagine other formats (like PDF) can also be attack vectors. + // See https://github.com/libreboard/libreboard/issues/99 + // XXX Should we use `beforeWrite` option of CollectionFS instead of + // collection-hooks? + if (! file.isImage()) { + file.original.type = 'application/octet-stream'; + } +}); + +if (Meteor.isServer) { + Attachments.files.after.insert(function(userId, doc) { + Activities.insert({ + type: 'card', + activityType: 'addAttachment', + attachmentId: doc._id, + boardId: doc.boardId, + cardId: doc.cardId, + userId: userId + }); + }); + + Attachments.files.after.remove(function(userId, doc) { + Activities.remove({ + attachmentId: doc._id + }); + }); +} |