discourse/app/controllers/uploads_controller.rb

require "mini_mime"
require_dependency 'upload_creator'

class UploadsController < ApplicationController
  before_action :ensure_logged_in, except: [:show]
  skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]

  def create
    # capture current user for block later on
    me = current_user

    # 50 characters ought to be enough for the upload type
    type = params.require(:type).parameterize(separator: "_")[0..50]

    if type == "avatar" && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
      return render json: failed_json, status: 422
    end

    url    = params[:url]
    file   = params[:file] || params[:files]&.first
    pasted = params[:pasted] == "true"
    for_private_message = params[:for_private_message] == "true"
    is_api = is_api?
    retain_hours = params[:retain_hours].to_i

    # note, atm hijack is processed in its own context and has not access to controller
    # longer term we may change this
    hijack do
      begin
        info = UploadsController.create_upload(
          current_user: me,
          file: file,
          url: url,
          type: type,
          for_private_message: for_private_message,
          pasted: pasted,
          is_api: is_api,
          retain_hours: retain_hours
        )
      rescue => e
        render json: failed_json.merge(message: e.message&.split("\n")&.first), status: 422
      else
        render json: UploadsController.serialize_upload(info), status: Upload === info ? 200 : 422
      end
    end
  end

  def lookup_urls
    params.permit(short_urls: [])
    uploads = []

    if (params[:short_urls] && params[:short_urls].length > 0)
      PrettyText::Helpers.lookup_image_urls(params[:short_urls]).each do |short_url, url|
        uploads << { short_url: short_url, url: url }
      end
    end

    render json: uploads.to_json
  end

  def show
    return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])

    RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
      return render_404 unless Discourse.store.internal?
      return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?

      if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
        opts = {
          filename: upload.original_filename,
          content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type,
        }
        opts[:disposition]   = "inline" if params[:inline]
        opts[:disposition] ||= "attachment" unless FileHelper.is_image?(upload.original_filename)
        send_file(Discourse.store.path_for(upload), opts)
      else
        render_404
      end
    end
  end

  protected

  def render_404
    raise Discourse::NotFound
  end

  def self.serialize_upload(data)
    # as_json.as_json is not a typo... as_json in AM serializer returns keys as symbols, we need them
    # as strings here
    serialized = UploadSerializer.new(data, root: nil).as_json.as_json if Upload === data
    serialized ||= (data || {}).as_json
  end

  def self.create_upload(current_user:, file:, url:, type:, for_private_message:, pasted:, is_api:, retain_hours:)
    if file.nil?
      if url.present? && is_api
        maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes
        tempfile = FileHelper.download(
          url,
          max_file_size: maximum_upload_size,
          tmp_file_name: "discourse-upload-#{type}"
        ) rescue nil
        filename = File.basename(URI.parse(url).path)
      end
    else
      tempfile = file.tempfile
      filename = file.original_filename
      content_type = file.content_type
    end

    return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?

    opts = {
      type: type,
      content_type: content_type,
      for_private_message: for_private_message,
      pasted: pasted,
    }

    upload = UploadCreator.new(tempfile, filename, opts).create_for(current_user.id)

    if upload.errors.empty? && current_user.admin?
      upload.update_columns(retain_hours: retain_hours) if retain_hours > 0
    end

    upload.errors.empty? ? upload : { errors: upload.errors.values.flatten }
  ensure
    tempfile&.close! rescue nil
  end

end
FIX: pull hotlinked images even when they have no extension 2017-06-13 07:27:05 -04:00			`require "mini_mime"`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`require_dependency 'upload_creator'`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`class UploadsController < ApplicationController`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00			`before_action :ensure_logged_in, except: [:show]`
			`skip_before_action :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]`
add UploadsController specs 2013-04-02 19:17:17 -04:00
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`def create`
FIX: make uploads safe for block that can run later 2017-11-23 01:28:18 -05:00			`# capture current user for block later on`
			`me = current_user`

replace the upload type whitelist with a sanitizer 2017-05-18 06:13:13 -04:00			`# 50 characters ought to be enough for the upload type`
Fix all the errors to get our tests green on Rails 5.1. 2017-08-31 00:06:56 -04:00			`type = params.require(:type).parameterize(separator: "_")[0..50]`
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread 2015-05-19 19:39:58 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`if type == "avatar" && (SiteSetting.sso_overrides_avatar \|\| !SiteSetting.allow_uploaded_avatars)`
			`return render json: failed_json, status: 422`
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side 2015-11-12 04:26:45 -05:00			`end`

FIX: always try to convert PNG to JPG when pasting an image 2017-06-23 06:13:48 -04:00			`url = params[:url]`
			`file = params[:file] \|\| params[:files]&.first`
			`pasted = params[:pasted] == "true"`
			`for_private_message = params[:for_private_message] == "true"`
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern 2017-11-26 20:43:18 -05:00			`is_api = is_api?`
			`retain_hours = params[:retain_hours].to_i`

			`# note, atm hijack is processed in its own context and has not access to controller`
			`# longer term we may change this`
			`hijack do`
FIX: catch all server-side error when uploading a file UX: always show a message to the user whenever an error happens on the server when uploading a file 2017-12-27 10:33:25 -05:00			`begin`
			`info = UploadsController.create_upload(`
			`current_user: me,`
			`file: file,`
			`url: url,`
			`type: type,`
			`for_private_message: for_private_message,`
			`pasted: pasted,`
			`is_api: is_api,`
			`retain_hours: retain_hours`
			`)`
			`rescue => e`
			`render json: failed_json.merge(message: e.message&.split("\n")&.first), status: 422`
			`else`
			`render json: UploadsController.serialize_upload(info), status: Upload === info ? 200 : 422`
			`end`
FEATURE: api support for arbitrary unlinked assets admins can set retain periods for assets 2014-09-23 01:50:26 -04:00			`end`
Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`
fix image uploads on s3/imgur 2013-06-04 18:34:53 -04:00
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation. 2017-08-22 16:40:01 -04:00			`def lookup_urls`
			`params.permit(short_urls: [])`
			`uploads = []`

			`if (params[:short_urls] && params[:short_urls].length > 0)`
			`PrettyText::Helpers.lookup_image_urls(params[:short_urls]).each do \|short_url, url\|`
			`uploads << { short_url: short_url, url: url }`
			`end`
			`end`

			`render json: uploads.to_json`
			`end`

proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`def show`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])`

BUGFIX: attachments bust under multisite 2014-03-24 19:37:31 -04:00			`RailsMultisite::ConnectionManagement.with_connection(params[:site]) do \|db\|`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`return render_404 unless Discourse.store.internal?`
FEATURE: new 'prevent anons from download files' site setting 2014-09-09 12:40:11 -04:00			`return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00
fix the build 2015-05-20 09:32:31 -04:00			`if upload = Upload.find_by(sha1: params[:sha]) \|\| Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])`
FIX: add Content-Disposition and Content-Type headers when downloading attachments 2017-02-20 09:59:01 -05:00			`opts = {`
			`filename: upload.original_filename,`
FIX: pull hotlinked images even when they have no extension 2017-06-13 07:27:05 -04:00			`content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type,`
FIX: add Content-Disposition and Content-Type headers when downloading attachments 2017-02-20 09:59:01 -05:00			`}`
			`opts[:disposition] = "inline" if params[:inline]`
			`opts[:disposition] \|\|= "attachment" unless FileHelper.is_image?(upload.original_filename)`
FIX: consistent and future-proof upload storage pattern 2015-05-19 06:31:12 -04:00			`send_file(Discourse.store.path_for(upload), opts)`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`else`
BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`render_404`
FEATURE: support email attachments 2014-04-14 16:55:57 -04:00			`end`
BUGFIX: attachments bust under multisite 2014-03-24 19:37:31 -04:00			`end`
proper content-disposition header when downloading attachments 2013-09-06 13:18:42 -04:00			`end`

BUGFIX: 500 error on some invalid uploads 2014-05-13 20:51:09 -04:00			`protected`

FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern 2017-11-26 20:43:18 -05:00			`def render_404`
			`raise Discourse::NotFound`
			`end`

			`def self.serialize_upload(data)`
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation. 2017-08-22 16:40:01 -04:00			`# as_json.as_json is not a typo... as_json in AM serializer returns keys as symbols, we need them`
			`# as strings here`
			`serialized = UploadSerializer.new(data, root: nil).as_json.as_json if Upload === data`
			`serialized \|\|= (data \|\| {}).as_json`
			`end`

FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern 2017-11-26 20:43:18 -05:00			`def self.create_upload(current_user:, file:, url:, type:, for_private_message:, pasted:, is_api:, retain_hours:)`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`if file.nil?`
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern 2017-11-26 20:43:18 -05:00			`if url.present? && is_api`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes`
Refactor `FileHelper` to use keyword arguments. 2017-05-24 13:42:52 -04:00			`tempfile = FileHelper.download(`
			`url,`
			`max_file_size: maximum_upload_size,`
			`tmp_file_name: "discourse-upload-#{type}"`
			`) rescue nil`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`filename = File.basename(URI.parse(url).path)`
FEATURE: automatically downsize large images 2015-08-12 12:33:13 -04:00			`end`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`else`
			`tempfile = file.tempfile`
			`filename = file.original_filename`
			`content_type = file.content_type`
			`end`
FEATURE: automatically downsize large images 2015-08-12 12:33:13 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00
FIX: always try to convert PNG to JPG when pasting an image 2017-06-23 06:13:48 -04:00			`opts = {`
			`type: type,`
			`content_type: content_type,`
			`for_private_message: for_private_message,`
			`pasted: pasted,`
			`}`
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting 2017-06-12 16:41:29 -04:00
			`upload = UploadCreator.new(tempfile, filename, opts).create_for(current_user.id)`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`if upload.errors.empty? && current_user.admin?`
			`upload.update_columns(retain_hours: retain_hours) if retain_hours > 0`
FEATURE: allow API to upload files synchronously 2015-06-15 10:12:15 -04:00			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-10 18:16:57 -04:00			`upload.errors.empty? ? upload : { errors: upload.errors.values.flatten }`
			`ensure`
			`tempfile&.close! rescue nil`
fix and improve image downsizing algorithm 2016-06-20 06:35:07 -04:00			`end`

Initial release of Discourse 2013-02-05 14:16:51 -05:00			`end`