FIX: Respect force download when downloading secure media via lightbox (#10769)

The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download.

This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
This commit is contained in:
Martin Brennan 2020-09-29 12:12:03 +10:00 committed by GitHub
parent aca2697a42
commit 4193eb0419
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 19 additions and 5 deletions

View File

@ -111,7 +111,7 @@ class UploadsController < ApplicationController
if Discourse.store.internal? if Discourse.store.internal?
send_file_local_upload(upload) send_file_local_upload(upload)
else else
redirect_to Discourse.store.url_for(upload, force_download: params[:dl] == "1") redirect_to Discourse.store.url_for(upload, force_download: force_download?)
end end
else else
render_404 render_404
@ -160,11 +160,13 @@ class UploadsController < ApplicationController
# url_for figures out the full URL, handling multisite DBs, # url_for figures out the full URL, handling multisite DBs,
# and will return a presigned URL for the upload # and will return a presigned URL for the upload
if path_with_ext.blank? if path_with_ext.blank?
return redirect_to Discourse.store.url_for(upload) return redirect_to Discourse.store.url_for(upload, force_download: force_download?)
end end
redirect_to Discourse.store.signed_url_for_path( redirect_to Discourse.store.signed_url_for_path(
path_with_ext, expires_in: S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS path_with_ext,
expires_in: S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS,
force_download: force_download?
) )
end end
@ -183,6 +185,10 @@ class UploadsController < ApplicationController
protected protected
def force_download?
params[:dl] == "1"
end
def xhr_not_allowed def xhr_not_allowed
raise Discourse::InvalidParameters.new("XHR not allowed") raise Discourse::InvalidParameters.new("XHR not allowed")
end end

View File

@ -169,9 +169,9 @@ module FileStore
url.sub(File.join("#{schema}#{absolute_base_url}", folder), File.join(SiteSetting.Upload.s3_cdn_url, "/")) url.sub(File.join("#{schema}#{absolute_base_url}", folder), File.join(SiteSetting.Upload.s3_cdn_url, "/"))
end end
def signed_url_for_path(path, expires_in: S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS) def signed_url_for_path(path, expires_in: S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS, force_download: false)
key = path.sub(absolute_base_url + "/", "") key = path.sub(absolute_base_url + "/", "")
presigned_url(key, expires_in: expires_in) presigned_url(key, expires_in: expires_in, force_download: force_download)
end end
def cache_avatar(avatar, user_id) def cache_avatar(avatar, user_id)

View File

@ -402,6 +402,14 @@ describe UploadsController do
get upload.short_path get upload.short_path
expect(response).to redirect_to(Discourse.store.signed_url_for_path(Discourse.store.get_path_for_upload(upload))) expect(response).to redirect_to(Discourse.store.signed_url_for_path(Discourse.store.get_path_for_upload(upload)))
expect(response.header['Location']).not_to include('response-content-disposition=attachment')
end
it "respects the force download (dl) param" do
sign_in(user)
freeze_time
get upload.short_path, params: { dl: '1' }
expect(response.header['Location']).to include('response-content-disposition=attachment')
end end
it "has the correct caching header" do it "has the correct caching header" do