discourse/app/controllers/uploads_controller.rb

require_dependency 'upload_creator'

class UploadsController < ApplicationController
  before_filter :ensure_logged_in, except: [:show]
  skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]

  def create
    type = params.require(:type)

    raise Discourse::InvalidAccess.new unless Upload::UPLOAD_TYPES.include?(type)

    if type == "avatar" && (SiteSetting.sso_overrides_avatar || !SiteSetting.allow_uploaded_avatars)
      return render json: failed_json, status: 422
    end

    url  = params[:url]
    file = params[:file] || params[:files]&.first

    if params[:synchronous] && (current_user.staff? || is_api?)
      data = create_upload(file, url, type)
      render json: data.as_json
    else
      Scheduler::Defer.later("Create Upload") do
        begin
          data = create_upload(file, url, type)
        ensure
          MessageBus.publish("/uploads/#{type}", (data || {}).as_json, client_ids: [params[:client_id]])
        end
      end
      render json: success_json
    end
  end

  def show
    return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])

    RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
      return render_404 unless Discourse.store.internal?
      return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
      return render_404 if SiteSetting.login_required? && db == "default" && current_user.nil?

      if upload = Upload.find_by(sha1: params[:sha]) || Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
        opts = {
          filename: upload.original_filename,
          content_type: Rack::Mime.mime_type(File.extname(upload.original_filename)),
        }
        opts[:disposition]   = "inline" if params[:inline]
        opts[:disposition] ||= "attachment" unless FileHelper.is_image?(upload.original_filename)
        send_file(Discourse.store.path_for(upload), opts)
      else
        render_404
      end
    end
  end

  protected

  def render_404
    render nothing: true, status: 404
  end

  def create_upload(file, url, type)
    if file.nil?
      if url.present? && is_api?
        maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes
        tempfile = FileHelper.download(url, maximum_upload_size, "discourse-upload-#{type}") rescue nil
        filename = File.basename(URI.parse(url).path)
      end
    else
      tempfile = file.tempfile
      filename = file.original_filename
      content_type = file.content_type
    end

    return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?

    upload = UploadCreator.new(tempfile, filename, type: type, content_type: content_type).create_for(current_user.id)

    if upload.errors.empty? && current_user.admin?
      retain_hours = params[:retain_hours].to_i
      upload.update_columns(retain_hours: retain_hours) if retain_hours > 0
    end

    upload.errors.empty? ? upload : { errors: upload.errors.values.flatten }
  ensure
    tempfile&.close! rescue nil
  end

end
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`require_dependency 'upload_creator'`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`class UploadsController < ApplicationController`
proper content-disposition header when downloading attachments 2013-09-07 01:18:42 +08:00			`before_filter :ensure_logged_in, except: [:show]`
multisite fix, allow show through (security is handled in the controller) 2015-07-24 07:41:46 +08:00			`skip_before_filter :preload_json, :check_xhr, :redirect_to_login_if_required, only: [:show]`
add UploadsController specs 2013-04-03 07:17:17 +08:00
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`def create`
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread 2015-05-20 07:39:58 +08:00			`type = params.require(:type)`
SECURITY: protect upload params, only allow very strict filenames 2016-12-19 07:16:18 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`raise Discourse::InvalidAccess.new unless Upload::UPLOAD_TYPES.include?(type)`
FEATURE: move all uploads to a single endpoint + defer upload creation in a background thread 2015-05-20 07:39:58 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`if type == "avatar" && (SiteSetting.sso_overrides_avatar \|\| !SiteSetting.allow_uploaded_avatars)`
			`return render json: failed_json, status: 422`
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side 2015-11-12 17:26:45 +08:00			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`url = params[:url]`
			`file = params[:file] \|\| params[:files]&.first`

			`if params[:synchronous] && (current_user.staff? \|\| is_api?)`
			`data = create_upload(file, url, type)`
FEATURE: allow API to upload files synchronously 2015-06-15 22:12:15 +08:00			`render json: data.as_json`
			`else`
			`Scheduler::Defer.later("Create Upload") do`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`begin`
			`data = create_upload(file, url, type)`
			`ensure`
			`MessageBus.publish("/uploads/#{type}", (data \|\| {}).as_json, client_ids: [params[:client_id]])`
			`end`
FIX: API can provide a URL to create an upload 2015-05-20 23:38:06 +08:00			`end`
FEATURE: allow API to upload files synchronously 2015-06-15 22:12:15 +08:00			`render json: success_json`
FEATURE: api support for arbitrary unlinked assets admins can set retain periods for assets 2014-09-23 13:50:26 +08:00			`end`
Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`
fix image uploads on s3/imgur 2013-06-05 06:34:53 +08:00
proper content-disposition header when downloading attachments 2013-09-07 01:18:42 +08:00			`def show`
BUGFIX: 500 error on some invalid uploads 2014-05-14 08:51:09 +08:00			`return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])`

BUGFIX: attachments bust under multisite 2014-03-25 07:37:31 +08:00			`RailsMultisite::ConnectionManagement.with_connection(params[:site]) do \|db\|`
BUGFIX: 500 error on some invalid uploads 2014-05-14 08:51:09 +08:00			`return render_404 unless Discourse.store.internal?`
FEATURE: new 'prevent anons from download files' site setting 2014-09-10 00:40:11 +08:00			`return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?`
maintain exact old behavior 2015-07-24 07:44:16 +08:00			`return render_404 if SiteSetting.login_required? && db == "default" && current_user.nil?`
proper content-disposition header when downloading attachments 2013-09-07 01:18:42 +08:00
fix the build 2015-05-20 21:32:31 +08:00			`if upload = Upload.find_by(sha1: params[:sha]) \|\| Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])`
FIX: add Content-Disposition and Content-Type headers when downloading attachments 2017-02-20 22:59:01 +08:00			`opts = {`
			`filename: upload.original_filename,`
			`content_type: Rack::Mime.mime_type(File.extname(upload.original_filename)),`
			`}`
			`opts[:disposition] = "inline" if params[:inline]`
			`opts[:disposition] \|\|= "attachment" unless FileHelper.is_image?(upload.original_filename)`
FIX: consistent and future-proof upload storage pattern 2015-05-19 18:31:12 +08:00			`send_file(Discourse.store.path_for(upload), opts)`
FEATURE: support email attachments 2014-04-15 04:55:57 +08:00			`else`
BUGFIX: 500 error on some invalid uploads 2014-05-14 08:51:09 +08:00			`render_404`
FEATURE: support email attachments 2014-04-15 04:55:57 +08:00			`end`
BUGFIX: attachments bust under multisite 2014-03-25 07:37:31 +08:00			`end`
proper content-disposition header when downloading attachments 2013-09-07 01:18:42 +08:00			`end`

BUGFIX: 500 error on some invalid uploads 2014-05-14 08:51:09 +08:00			`protected`

			`def render_404`
			`render nothing: true, status: 404`
			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`def create_upload(file, url, type)`
			`if file.nil?`
			`if url.present? && is_api?`
			`maximum_upload_size = [SiteSetting.max_image_size_kb, SiteSetting.max_attachment_size_kb].max.kilobytes`
			`tempfile = FileHelper.download(url, maximum_upload_size, "discourse-upload-#{type}") rescue nil`
			`filename = File.basename(URI.parse(url).path)`
FEATURE: automatically downsize large images 2015-08-13 00:33:13 +08:00			`end`
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`else`
			`tempfile = file.tempfile`
			`filename = file.original_filename`
			`content_type = file.content_type`
			`end`
FEATURE: automatically downsize large images 2015-08-13 00:33:13 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?`
FEATURE: allow API to upload files synchronously 2015-06-15 22:12:15 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`upload = UploadCreator.new(tempfile, filename, type: type, content_type: content_type).create_for(current_user.id)`
FEATURE: allow API to upload files synchronously 2015-06-15 22:12:15 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`if upload.errors.empty? && current_user.admin?`
			`retain_hours = params[:retain_hours].to_i`
			`upload.update_columns(retain_hours: retain_hours) if retain_hours > 0`
FEATURE: allow API to upload files synchronously 2015-06-15 22:12:15 +08:00			`end`

REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version 2017-05-11 06:16:57 +08:00			`upload.errors.empty? ? upload : { errors: upload.errors.values.flatten }`
			`ensure`
			`tempfile&.close! rescue nil`
fix and improve image downsizing algorithm 2016-06-20 18:35:07 +08:00			`end`

Initial release of Discourse 2013-02-06 03:16:51 +08:00			`end`