discourse/app/jobs/scheduled/clean_up_uploads.rb

# frozen_string_literal: true

module Jobs
  class CleanUpUploads < ::Jobs::Scheduled
    every 1.hour

    def execute(args)
      grace_period = [SiteSetting.clean_orphan_uploads_grace_period_hours, 1].max

      # always remove invalid upload records
      Upload
        .by_users
        .where("retain_hours IS NULL OR created_at < current_timestamp - interval '1 hour' * retain_hours")
        .where("created_at < ?", grace_period.hour.ago)
        .where(url: "")
        .find_each(&:destroy!)

      return unless SiteSetting.clean_up_uploads?

      if c = last_cleanup
        return if (Time.zone.now.to_i - c) < (grace_period / 2).hours
      end

      base_url = Discourse.store.internal? ? Discourse.store.relative_base_url : Discourse.store.absolute_base_url
      s3_hostname = URI.parse(base_url).hostname
      s3_cdn_hostname = URI.parse(SiteSetting.Upload.s3_cdn_url || "").hostname

      # Any URLs in site settings are fair game
      ignore_urls = [
        *SiteSetting.selectable_avatars.split("\n"),
      ].flatten.map do |url|
        if url.present?
          url = url.dup

          if s3_cdn_hostname.present? && s3_hostname.present?
            url.gsub!(s3_cdn_hostname, s3_hostname)
          end

          url[base_url] && url[url.index(base_url)..-1]
        else
          nil
        end
      end.compact.uniq

      result = Upload.by_users
        .where("uploads.retain_hours IS NULL OR uploads.created_at < current_timestamp - interval '1 hour' * uploads.retain_hours")
        .where("uploads.created_at < ?", grace_period.hour.ago)
        .where("uploads.access_control_post_id IS NULL")
        .joins(<<~SQL)
          LEFT JOIN site_settings ss
          ON NULLIF(ss.value, '')::integer = uploads.id
          AND ss.data_type = #{SiteSettings::TypeSupervisor.types[:upload].to_i}
        SQL
        .joins("LEFT JOIN post_uploads pu ON pu.upload_id = uploads.id")
        .joins("LEFT JOIN users u ON u.uploaded_avatar_id = uploads.id")
        .joins("LEFT JOIN user_avatars ua ON ua.gravatar_upload_id = uploads.id OR ua.custom_upload_id = uploads.id")
        .joins("LEFT JOIN user_profiles up ON up.profile_background_upload_id = uploads.id OR up.card_background_upload_id = uploads.id")
        .joins("LEFT JOIN categories c ON c.uploaded_logo_id = uploads.id OR c.uploaded_background_id = uploads.id")
        .joins("LEFT JOIN custom_emojis ce ON ce.upload_id = uploads.id")
        .joins("LEFT JOIN theme_fields tf ON tf.upload_id = uploads.id")
        .joins("LEFT JOIN user_exports ue ON ue.upload_id = uploads.id")
        .joins("LEFT JOIN groups g ON g.flair_upload_id = uploads.id")
        .where("pu.upload_id IS NULL")
        .where("u.uploaded_avatar_id IS NULL")
        .where("ua.gravatar_upload_id IS NULL AND ua.custom_upload_id IS NULL")
        .where("up.profile_background_upload_id IS NULL AND up.card_background_upload_id IS NULL")
        .where("c.uploaded_logo_id IS NULL AND c.uploaded_background_id IS NULL")
        .where("ce.upload_id IS NULL")
        .where("tf.upload_id IS NULL")
        .where("ue.upload_id IS NULL")
        .where("g.flair_upload_id IS NULL")
        .where("ss.value IS NULL")

      result = result.where("uploads.url NOT IN (?)", ignore_urls) if ignore_urls.present?

      result.find_each do |upload|
        if upload.sha1.present?
          encoded_sha = Base62.encode(upload.sha1.hex)
          next if ReviewableQueuedPost.pending.where("payload->>'raw' LIKE '%#{upload.sha1}%' OR payload->>'raw' LIKE '%#{encoded_sha}%'").exists?
          next if Draft.where("data LIKE '%#{upload.sha1}%' OR data LIKE '%#{encoded_sha}%'").exists?
          upload.destroy
        else
          upload.delete
        end
      end

      self.last_cleanup = Time.zone.now.to_i
    end

    def last_cleanup=(v)
      Discourse.redis.setex(last_cleanup_key, 7.days.to_i, v.to_s)
    end

    def last_cleanup
      v = Discourse.redis.get(last_cleanup_key)
      v ? v.to_i : v
    end

    def reset_last_cleanup!
      Discourse.redis.del(last_cleanup_key)
    end

    protected

    def last_cleanup_key
      "LAST_UPLOAD_CLEANUP"
    end

  end
end
DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging 2019-05-02 18:17:27 -04:00			`# frozen_string_literal: true`

added a job to clean up orphan uploads 2013-10-14 08:27:41 -04:00			`module Jobs`
DEV: Upgrading Discourse to Zeitwerk (#8098) Zeitwerk simplifies working with dependencies in dev and makes it easier reloading class chains. We no longer need to use Rails "require_dependency" anywhere and instead can just use standard Ruby patterns to require files. This is a far reaching change and we expect some followups here. 2019-10-02 00:01:53 -04:00			`class CleanUpUploads < ::Jobs::Scheduled`
FEATURE: new scheduler Removed sidetiq, introduced new scheduler - add basic UI - add schedule discover - add scheduling in initializer 2014-02-05 18:14:41 -05:00			`every 1.hour`
added a job to clean up orphan uploads 2013-10-14 08:27:41 -04:00
			`def execute(args)`
FIX: always delete invalid upload records 2018-06-04 12:40:57 -04:00			`grace_period = [SiteSetting.clean_orphan_uploads_grace_period_hours, 1].max`
make rubocop happy 2018-06-04 13:06:52 -04:00
FIX: always delete invalid upload records 2018-06-04 12:40:57 -04:00			`# always remove invalid upload records`
			`Upload`
FIX: Properly support defaults for upload site settings. 2019-01-02 02:29:17 -05:00			`.by_users`
FIX: always delete invalid upload records 2018-06-04 12:40:57 -04:00			`.where("retain_hours IS NULL OR created_at < current_timestamp - interval '1 hour' * retain_hours")`
			`.where("created_at < ?", grace_period.hour.ago)`
Upload.url can't be NULL 2018-06-04 12:43:00 -04:00			`.where(url: "")`
FIX: Avoid `destroy_all` in `Jobs::CleanUpUploads`. `destroy_all` loads all the relation into memory as once. See https://github.com/rails/rails/issues/22510 2018-07-02 00:41:53 -04:00			`.find_each(&:destroy!)`
make rubocop happy 2018-06-04 13:06:52 -04:00
add a sitesetting to enable the CleanUpUploads job 2013-10-16 04:55:42 -04:00			`return unless SiteSetting.clean_up_uploads?`
added a job to clean up orphan uploads 2013-10-14 08:27:41 -04:00
PERF: run expensive clean up uploads less frequently Previously every hour we would run a full scan of the entire DB searching for expired uploads that need to be moved to the tombstone folder. This commit amends it so we only run the job 2 times per clean_orpha_uploads_grace_period_hours There is a upper bound of 7 days so even if the grace period is set really high it will still run at least once a week. By default we have a 48 grace period so this amends it to run this cleanup daily instead of hourly. This eliminates 23 times we run this ultra expensive query. 2019-10-27 20:14:52 -04:00			`if c = last_cleanup`
			`return if (Time.zone.now.to_i - c) < (grace_period / 2).hours`
			`end`

FIX: the 'clean_up_uploads' jobs would delete images used in site settings when they were entered using absolute URLs, with the CDN or simple a different format than the one used in the database 2017-06-07 16:53:15 -04:00			`base_url = Discourse.store.internal? ? Discourse.store.relative_base_url : Discourse.store.absolute_base_url`
			`s3_hostname = URI.parse(base_url).hostname`
FEATURE: allow specifying s3 config via globals This refactors handling of s3 so it can be specified via GlobalSetting This means that in a multisite environment you can configure s3 uploads without actual sites knowing credentials in s3 It is a critical setting for situations where assets are mirrored to s3. 2017-10-06 01:20:01 -04:00			`s3_cdn_hostname = URI.parse(SiteSetting.Upload.s3_cdn_url \|\| "").hostname`
FIX: the 'clean_up_uploads' jobs would delete images used in site settings when they were entered using absolute URLs, with the CDN or simple a different format than the one used in the database 2017-06-07 16:53:15 -04:00
Upload Logos Step 2016-09-08 16:58:07 -04:00			`# Any URLs in site settings are fair game`
PERF: `NOT IN` query is really inefficient for large tables. 2016-11-01 23:14:02 -04:00			`ignore_urls = [`
FEATURE: selectable avatars 2018-07-18 06:57:43 -04:00			`*SiteSetting.selectable_avatars.split("\n"),`
			`].flatten.map do \|url\|`
FIX: Don't raise an error cleaning up uploads if a path is nil 2017-06-08 14:31:58 -04:00			`if url.present?`
			`url = url.dup`
Fix undefined method for Nil class error. 2017-09-28 05:38:53 -04:00
			`if s3_cdn_hostname.present? && s3_hostname.present?`
			`url.gsub!(s3_cdn_hostname, s3_hostname)`
			`end`

FIX: Don't raise an error cleaning up uploads if a path is nil 2017-06-08 14:31:58 -04:00			`url[base_url] && url[url.index(base_url)..-1]`
			`else`
			`nil`
			`end`
FIX: the 'clean_up_uploads' jobs would delete images used in site settings when they were entered using absolute URLs, with the CDN or simple a different format than the one used in the database 2017-06-07 16:53:15 -04:00			`end.compact.uniq`
Upload Logos Step 2016-09-08 16:58:07 -04:00
FIX: Properly support defaults for upload site settings. 2019-01-02 02:29:17 -05:00			`result = Upload.by_users`
			`.where("uploads.retain_hours IS NULL OR uploads.created_at < current_timestamp - interval '1 hour' * uploads.retain_hours")`
PERF: `NOT IN` query is really inefficient for large tables. 2016-11-01 23:14:02 -04:00			`.where("uploads.created_at < ?", grace_period.hour.ago)`
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component. 2020-01-15 22:50:27 -05:00			`.where("uploads.access_control_post_id IS NULL")`
FEATURE: Upload Site Settings. (#6573) 2018-11-14 02:03:02 -05:00			`.joins(<<~SQL)`
			`LEFT JOIN site_settings ss`
FIX: `Jobs::CleanUpUploads` fails when value of upload data_type is an empty string. 2018-11-29 21:46:39 -05:00			`ON NULLIF(ss.value, '')::integer = uploads.id`
FEATURE: Upload Site Settings. (#6573) 2018-11-14 02:03:02 -05:00			`AND ss.data_type = #{SiteSettings::TypeSupervisor.types[:upload].to_i}`
			`SQL`
PERF: `NOT IN` query is really inefficient for large tables. 2016-11-01 23:14:02 -04:00			`.joins("LEFT JOIN post_uploads pu ON pu.upload_id = uploads.id")`
			`.joins("LEFT JOIN users u ON u.uploaded_avatar_id = uploads.id")`
FIX: be more lenient when deleting a custom emoji 2017-11-20 17:50:23 -05:00			`.joins("LEFT JOIN user_avatars ua ON ua.gravatar_upload_id = uploads.id OR ua.custom_upload_id = uploads.id")`
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table. 2019-04-28 23:58:52 -04:00			`.joins("LEFT JOIN user_profiles up ON up.profile_background_upload_id = uploads.id OR up.card_background_upload_id = uploads.id")`
DEV: remove uploaded_meta_id column from category (#6725) * DEV: remove uploaded_meta_id column from category * remove uploaded_meta part 2019-01-09 20:37:21 -05:00			`.joins("LEFT JOIN categories c ON c.uploaded_logo_id = uploads.id OR c.uploaded_background_id = uploads.id")`
FIX: Store custom emojis as uploads. * Depending on a hardcoded directory was a flawed design which made it impossible to debug when custom emojis go missing. 2017-02-02 04:41:57 -05:00			`.joins("LEFT JOIN custom_emojis ce ON ce.upload_id = uploads.id")`
Allow theme field object model to support uploads 2017-05-08 11:38:48 -04:00			`.joins("LEFT JOIN theme_fields tf ON tf.upload_id = uploads.id")`
FIX: create upload record for exported csv files 2018-04-19 07:30:31 -04:00			`.joins("LEFT JOIN user_exports ue ON ue.upload_id = uploads.id")`
UX: use "icon-picker" & "image-uploader" fields to set group flair. (#9779) 2020-05-25 01:38:47 -04:00			`.joins("LEFT JOIN groups g ON g.flair_upload_id = uploads.id")`
PERF: `NOT IN` query is really inefficient for large tables. 2016-11-01 23:14:02 -04:00			`.where("pu.upload_id IS NULL")`
			`.where("u.uploaded_avatar_id IS NULL")`
			`.where("ua.gravatar_upload_id IS NULL AND ua.custom_upload_id IS NULL")`
FIX: Properly associate user_profiles background urls via upload id. `Upload#url` is more likely and can change from time to time. When it does changes, we don't want to have to look through multiple tables to ensure that the URLs are all up to date. Instead, we simply associate uploads properly to `UserProfile` so that it does not have to replicate the URLs in the table. 2019-04-28 23:58:52 -04:00			`.where("up.profile_background_upload_id IS NULL AND up.card_background_upload_id IS NULL")`
FIX: Associate category logo and background to uploads record. 2016-12-02 02:15:34 -05:00			`.where("c.uploaded_logo_id IS NULL AND c.uploaded_background_id IS NULL")`
FIX: be more lenient when deleting a custom emoji 2017-11-20 17:50:23 -05:00			`.where("ce.upload_id IS NULL")`
			`.where("tf.upload_id IS NULL")`
FIX: create upload record for exported csv files 2018-04-19 07:30:31 -04:00			`.where("ue.upload_id IS NULL")`
UX: use "icon-picker" & "image-uploader" fields to set group flair. (#9779) 2020-05-25 01:38:47 -04:00			`.where("g.flair_upload_id IS NULL")`
FEATURE: Upload Site Settings. (#6573) 2018-11-14 02:03:02 -05:00			`.where("ss.value IS NULL")`
FIX: the 'clean_up_uploads' jobs would delete images used in site settings when they were entered using absolute URLs, with the CDN or simple a different format than the one used in the database 2017-06-07 16:53:15 -04:00
			`result = result.where("uploads.url NOT IN (?)", ignore_urls) if ignore_urls.present?`
added a job to clean up orphan uploads 2013-10-14 08:27:41 -04:00
FIX: don't destroy uploads in queued posts and drafts 2016-08-01 12:35:57 -04:00			`result.find_each do \|upload\|`
FIX: always clean up uploads with no sha1 2017-11-14 04:56:10 -05:00			`if upload.sha1.present?`
			`encoded_sha = Base62.encode(upload.sha1.hex)`
FIX: Only consider pending queued posts for cleaning up uploads 2019-04-12 14:39:32 -04:00			`next if ReviewableQueuedPost.pending.where("payload->>'raw' LIKE '%#{upload.sha1}%' OR payload->>'raw' LIKE '%#{encoded_sha}%'").exists?`
FIX: always clean up uploads with no sha1 2017-11-14 04:56:10 -05:00			`next if Draft.where("data LIKE '%#{upload.sha1}%' OR data LIKE '%#{encoded_sha}%'").exists?`
FIX: delete upload records when sha is null 2017-11-21 04:20:42 -05:00			`upload.destroy`
			`else`
			`upload.delete`
FIX: always clean up uploads with no sha1 2017-11-14 04:56:10 -05:00			`end`
PERF: Split queries when cleaning uploads. This reduces the number of scans that the db has to do in the query to fetch orphan uploads. Futheremore, we were not batching our records which bloats memory. 2016-07-01 03:22:30 -04:00			`end`
PERF: run expensive clean up uploads less frequently Previously every hour we would run a full scan of the entire DB searching for expired uploads that need to be moved to the tombstone folder. This commit amends it so we only run the job 2 times per clean_orpha_uploads_grace_period_hours There is a upper bound of 7 days so even if the grace period is set really high it will still run at least once a week. By default we have a 48 grace period so this amends it to run this cleanup daily instead of hourly. This eliminates 23 times we run this ultra expensive query. 2019-10-27 20:14:52 -04:00
			`self.last_cleanup = Time.zone.now.to_i`
			`end`

			`def last_cleanup=(v)`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 04:05:53 -05:00			`Discourse.redis.setex(last_cleanup_key, 7.days.to_i, v.to_s)`
PERF: run expensive clean up uploads less frequently Previously every hour we would run a full scan of the entire DB searching for expired uploads that need to be moved to the tombstone folder. This commit amends it so we only run the job 2 times per clean_orpha_uploads_grace_period_hours There is a upper bound of 7 days so even if the grace period is set really high it will still run at least once a week. By default we have a 48 grace period so this amends it to run this cleanup daily instead of hourly. This eliminates 23 times we run this ultra expensive query. 2019-10-27 20:14:52 -04:00			`end`

			`def last_cleanup`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 04:05:53 -05:00			`v = Discourse.redis.get(last_cleanup_key)`
PERF: run expensive clean up uploads less frequently Previously every hour we would run a full scan of the entire DB searching for expired uploads that need to be moved to the tombstone folder. This commit amends it so we only run the job 2 times per clean_orpha_uploads_grace_period_hours There is a upper bound of 7 days so even if the grace period is set really high it will still run at least once a week. By default we have a 48 grace period so this amends it to run this cleanup daily instead of hourly. This eliminates 23 times we run this ultra expensive query. 2019-10-27 20:14:52 -04:00			`v ? v.to_i : v`
PERF: Split queries when cleaning uploads. This reduces the number of scans that the db has to do in the query to fetch orphan uploads. Futheremore, we were not batching our records which bloats memory. 2016-07-01 03:22:30 -04:00			`end`
PERF: run expensive clean up uploads less frequently Previously every hour we would run a full scan of the entire DB searching for expired uploads that need to be moved to the tombstone folder. This commit amends it so we only run the job 2 times per clean_orpha_uploads_grace_period_hours There is a upper bound of 7 days so even if the grace period is set really high it will still run at least once a week. By default we have a 48 grace period so this amends it to run this cleanup daily instead of hourly. This eliminates 23 times we run this ultra expensive query. 2019-10-27 20:14:52 -04:00
			`def reset_last_cleanup!`
DEV: s/\$redis/Discourse\.redis (#8431) This commit also adds a rubocop rule to prevent global variables. 2019-12-03 04:05:53 -05:00			`Discourse.redis.del(last_cleanup_key)`
PERF: run expensive clean up uploads less frequently Previously every hour we would run a full scan of the entire DB searching for expired uploads that need to be moved to the tombstone folder. This commit amends it so we only run the job 2 times per clean_orpha_uploads_grace_period_hours There is a upper bound of 7 days so even if the grace period is set really high it will still run at least once a week. By default we have a 48 grace period so this amends it to run this cleanup daily instead of hourly. This eliminates 23 times we run this ultra expensive query. 2019-10-27 20:14:52 -04:00			`end`

			`protected`

			`def last_cleanup_key`
			`"LAST_UPLOAD_CLEANUP"`
			`end`

PERF: Split queries when cleaning uploads. This reduces the number of scans that the db has to do in the query to fetch orphan uploads. Futheremore, we were not batching our records which bloats memory. 2016-07-01 03:22:30 -04:00			`end`
added a job to clean up orphan uploads 2013-10-14 08:27:41 -04:00			`end`