discourse/app/controllers/uploads_controller.rb

require_dependency 'upload_creator'

class UploadsController < ApplicationController
  before_filter :ensure_logged_in, except: [:show]
  skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]

  def create
    # 50 characters ought to be enough for the upload type
    type = params.require(:type).parameterize("_")[0..50]

    if type == "avatar" && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
      return render json: failed_json, status: 422
    end

    url  = params[:url]
    file = params[:file] || params[:files]&.first

    if params[:synchronous] && (current_user.staff? || is_api?)
      data = create_upload(file, url, type)
      render json: data.as_json
    else
      Scheduler::Defer.later("Create Upload") do
        begin
          data = create_upload(file, url, type)
        ensure
          MessageBus.publish("/uploads/#{type}", (data || {}).as_json, client_ids: [params[:client_id]])
        end
      end
      render json: success_json
    end
  end

  def show
    return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])

    RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
      return render_404 unless Discourse.store.internal?
      return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
      return render_404 if SiteSetting.login_required? && db == "default" && current_user.nil?

      if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
        opts = {
          filename: upload.original_filename,
          content_type: Rack::Mime.mime_type(File.extname(upload.original_filename)),
        }
        opts[:disposition]   = "inline" if params[:inline]
        opts[:disposition] ||= "attachment" unless FileHelper.is_image?(upload.original_filename)
        send_file(Discourse.store.path_for(upload), opts)
      else
        render_404
      end
    end
  end

  protected

  def render_404
    raise Discourse::NotFound
  end

  def create_upload(file, url, type)
    if file.nil?
      if url.present? && is_api?
        maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes
        tempfile = FileHelper.download(
          url,
          max_file_size: maximum_upload_size,
          tmp_file_name: "discourse-upload-#{type}"
        ) rescue nil
        filename = File.basename(URI.parse(url).path)
      end
    else
      tempfile = file.tempfile
      filename = file.original_filename
      content_type = file.content_type
    end

    return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?

    upload = UploadCreator.new(tempfile, filename, type: type, content_type: content_type).create_for(current_user.id)

    if upload.errors.empty? && current_user.admin?
      retain_hours = params[:retain_hours].to_i
      upload.update_columns(retain_hours: retain_hours) if retain_hours > 0
    end

    upload.errors.empty? ? upload : { errors: upload.errors.values.flatten }
  ensure
    tempfile&.close! rescue nil
  end

end
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`require_dependency 'upload_creator'`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class UploadsController < ApplicationController`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`before_filter :ensure_logged_in, except: [:show]`
multisite fix, allow show through (security is handled in the controller) 2015-07-23 19:41:46 -04:00			`skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]`
add UploadsController specs 2013-04-02 19:17:17 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def create`
replace the upload type whitelist with a sanitizer 2017-05-18 06:13:13 -04:00			`# 50 characters ought to be enough for the upload type`
			`type = params.require(:type).parameterize("_")[0..50]`
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread 2015-05-19 19:39:58 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`if type == "avatar" && (SiteSetting.sso_overrides_avatar \|\| !SiteSetting.allow_uploaded_avatars)`
			`return render json: failed_json, status: 422`
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side 2015-11-12 04:26:45 -05:00			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`url = params[:url]`
			`file = params[:file] \|\| params[:files]&.first`

			`if params[:synchronous] && (current_user.staff? \|\| is_api?)`
			`data = create_upload(file, url, type)`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00			`render json: data.as_json`
			`else`
			`Scheduler::Defer.later("Create Upload") do`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`begin`
			`data = create_upload(file, url, type)`
			`ensure`
			`MessageBus.publish("/uploads/#{type}", (data \|\| {}).as_json, client_ids: [params[:client_id]])`
			`end`
FIX: API can provide a URL to create an upload 2015-05-20 11:38:06 -04:00			`end`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00			`render json: success_json`
FEATURE: api support for arbitrary unlinked assets admins can set retain periods for assets 2014-09-23 01:50:26 -04:00			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`
fix image uploads on s3/imgur 2013-06-04 18:34:53 -04:00
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`def show`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])`

BUGFIX: attachments bust under multisite 2014-03-24 19:37:31 -04:00			`RailsMultisite::ConnectionManagement.with_connection(params[:site]) do \|db\|`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`return render_404 unless Discourse.store.internal?`
FEATURE: new 'prevent anons from download files' site setting 2014-09-09 12:40:11 -04:00			`return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?`
maintain exact old behavior 2015-07-23 19:44:16 -04:00			`return render_404 if SiteSetting.login_required? && db == "default" && current_user.nil?`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00
fix the build 2015-05-20 09:32:31 -04:00			`if upload = Upload.find_by(sha1: params[:sha]) \|\| Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])`
FIX: add Content-Disposition and Content-Type headers when downloading attachments 2017-02-20 09:59:01 -05:00			`opts = {`
			`filename: upload.original_filename,`
			`content_type: Rack::Mime.mime_type(File.extname(upload.original_filename)),`
			`}`
			`opts[:disposition] = "inline" if params[:inline]`
			`opts[:disposition] \|\|= "attachment" unless FileHelper.is_image?(upload.original_filename)`
FIX: consistent and future-proof upload storage pattern 2015-05-19 06:31:12 -04:00			`send_file(Discourse.store.path_for(upload), opts)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`else`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`render_404`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`
BUGFIX: attachments bust under multisite 2014-03-24 19:37:31 -04:00			`end`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`end`

BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`protected`

			`def render_404`
FIX: better uploads error page 2017-05-18 13:55:21 -04:00			`raise Discourse::NotFound`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`def create_upload(file, url, type)`
			`if file.nil?`
			`if url.present? && is_api?`
			`maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes`
Refactor `FileHelper` to use keyword arguments. 2017-05-24 13:42:52 -04:00			`tempfile = FileHelper.download(`
			`url,`
			`max_file_size: maximum_upload_size,`
			`tmp_file_name: "discourse-upload-#{type}"`
			`) rescue nil`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`filename = File.basename(URI.parse(url).path)`
FEATURE: automatically downsize large images 2015-08-12 12:33:13 -04:00			`end`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`else`
			`tempfile = file.tempfile`
			`filename = file.original_filename`
			`content_type = file.content_type`
			`end`
FEATURE: automatically downsize large images 2015-08-12 12:33:13 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`upload = UploadCreator.new(tempfile, filename, type: type, content_type: content_type).create_for(current_user.id)`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`if upload.errors.empty? && current_user.admin?`
			`retain_hours = params[:retain_hours].to_i`
			`upload.update_columns(retain_hours: retain_hours) if retain_hours > 0`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`upload.errors.empty? ? upload : { errors: upload.errors.values.flatten }`
			`ensure`
			`tempfile&.close! rescue nil`
fix and improve image downsizing algorithm 2016-06-20 06:35:07 -04:00			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`