github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 01:16:22 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
b806dce13d
discourse/app/controllers/uploads_controller.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

374 lines
12 KiB
Ruby
Raw Normal View History

DEV: enable frozen string literal on all files This reduces chances of errors where consumers of strings mutate inputs and reduces memory usage of the app. Test suite passes now, but there may be some stuff left, so we will run a few sites on a branch prior to merging
2019-05-03 06:17:27 +08:00
# frozen_string_literal: true
FIX: pull hotlinked images even when they have no extension
2017-06-13 19:27:05 +08:00
require "mini_mime"
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
Initial release of Discourse
2013-02-06 03:16:51 +08:00
class UploadsController < ApplicationController
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
include ExternalUploadHelpers
DEV: Add SecureUploadEndpointHelpers for controllers (#25758) This commit moves some code out of UploadController#show_secure so it can be reused in other controllers if a secure upload needs to have permission checks run.
2024-02-20 09:19:22 +08:00
include SecureUploadEndpointHelpers
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
requires_login except: %i[show show_short _show_secure_deprecated show_secure]
Refactor requires login logic, reduce duplicate code This also corrects the positioning in the chain of the check and removes misuse of prepend_before_action
2018-02-01 12:17:59 +08:00
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
skip_before_action :preload_json,
:check_xhr,
:redirect_to_login_if_required,
FEATURE: User fields required for existing users - Part 2 (#27172) We want to allow admins to make new required fields apply to existing users. In order for this to work we need to have a way to make those users fill up the fields on their next page load. This is very similar to how adding a 2FA requirement post-fact works. Users will be redirected to a page where they can fill up the remaining required fields, and until they do that they won't be able to do anything else.
2024-06-25 19:32:18 +08:00
:redirect_to_profile_if_required,
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
only: %i[show show_short _show_secure_deprecated show_secure]
FIX: Allow themes to upload and serve js files (#8188) If you set `config.public_file_server.enabled = false` when you try to get uploaded js file you will get an error: `Security warning: an embedded <script> tag on another site requested protected JavaScript. If you know what you're doing, go ahead and disable forgery protection on this action to permit cross-origin JavaScript embedding.` The reason is that content type is `application/javascript` and in Rails 5 guard looked like that: https://github.com/rails/rails/blob/5-2-stable/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L278-L280 However, in Rails 6 `application` was added to regex: https://github.com/rails/rails/blob/master/actionpack/lib/action_controller/metal/request_forgery_protection.rb#L282-L284 This pull request is related to https://meta.discourse.org/t/uploaded-js-file-for-theme-causes-a-rejection/129753/8
2019-10-14 12:40:33 +08:00
protect_from_forgery except: :show
add UploadsController specs
2013-04-03 07:17:17 +08:00
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
before_action :is_asset_path,
:apply_cdn_headers,
only: %i[show show_short _show_secure_deprecated show_secure]
before_action :external_store_check, only: %i[_show_secure_deprecated show_secure]
Mark upload show paths as is_asset_path (#8365) * this is to avoid excessive rate limiting, especially for secure media on media-heavy topics
2019-11-18 13:56:20 +08:00
UX: Allow secure media URLs to be cached for a short period of time Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 22:00:41 +08:00
SECURE_REDIRECT_GRACE_SECONDS = 5
Initial release of Discourse
2013-02-06 03:16:51 +08:00
def create
FIX: make uploads safe for block that can run later
2017-11-23 14:28:18 +08:00
# capture current user for block later on
me = current_user
SECURITY: Add rate limits for uploads
2024-02-07 12:55:36 +08:00
RateLimiter.new(
current_user,
"uploads-per-minute",
SiteSetting.max_uploads_per_minute,
1.minute.to_i,
).performed!
FEATURE: Uppy image uploader with UppyUploadMixin (#13656) This PR adds the first use of Uppy in our codebase, hidden behind a enable_experimental_image_uploader site setting. When the setting is enabled only the user card background uploader will use the new uppy-image-uploader component added in this PR. I've introduced an UppyUpload mixin that has feature parity with the existing Upload mixin, and improves it slightly to deal with multiple/single file distinctions and validations better. For now, this just supports the XHRUpload plugin for uppy, which keeps our existing POST to /uploads.json.
2021-07-13 10:22:00 +08:00
params.permit(:type, :upload_type)
raise Discourse::InvalidParameters if params[:type].blank? && params[:upload_type].blank?
replace the upload type whitelist with a sanitizer
2017-05-18 18:13:13 +08:00
# 50 characters ought to be enough for the upload type
FEATURE: Uppy image uploader with UppyUploadMixin (#13656) This PR adds the first use of Uppy in our codebase, hidden behind a enable_experimental_image_uploader site setting. When the setting is enabled only the user card background uploader will use the new uppy-image-uploader component added in this PR. I've introduced an UppyUpload mixin that has feature parity with the existing Upload mixin, and improves it slightly to deal with multiple/single file distinctions and validations better. For now, this just supports the XHRUpload plugin for uppy, which keeps our existing POST to /uploads.json.
2021-07-13 10:22:00 +08:00
type =
(params[:upload_type].presence || params[:type].presence).parameterize(separator: "_")[0..50]
DEV: Apply syntax_tree formatting to `app/*`
2023-01-09 20:20:10 +08:00
DEV: Convert allow_uploaded_avatars to groups (#24810) This change converts the allow_uploaded_avatars site setting to uploaded_avatars_allowed_groups. See: https://meta.discourse.org/t/283408 Hides the old setting Adds the new site setting Adds a deprecation warning Updates to use the new setting Adds a migration to fill in the new setting if the old setting was changed Adds an entry to the site_setting.keywords section Updates tests to account for the new change After a couple of months, we will remove the allow_uploaded_avatars setting entirely. Internal ref: /t/117248
2023-12-13 07:53:19 +08:00
if type == "avatar" &&
FEATURE: Make allow_uploaded_avatars accept TL (#14091) This gives admins more control over who can upload custom profile pictures.
2021-08-24 15:46:28 +08:00
(
SiteSetting.discourse_connect_overrides_avatar ||
DEV: Convert allow_uploaded_avatars to groups (#24810) This change converts the allow_uploaded_avatars site setting to uploaded_avatars_allowed_groups. See: https://meta.discourse.org/t/283408 Hides the old setting Adds the new site setting Adds a deprecation warning Updates to use the new setting Adds a migration to fill in the new setting if the old setting was changed Adds an entry to the site_setting.keywords section Updates tests to account for the new change After a couple of months, we will remove the allow_uploaded_avatars setting entirely. Internal ref: /t/117248
2023-12-13 07:53:19 +08:00
!me.in_any_groups?(SiteSetting.uploaded_avatars_allowed_groups_map)
DEV: Apply syntax_tree formatting to `app/*`
2023-01-09 20:20:10 +08:00
)
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
return render json: failed_json, status: 422
FIX: enforce 'allow_uploaded_avatars' & 'sso_overrides_avatar' server-side
2015-11-12 17:26:45 +08:00
end
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 18:13:48 +08:00
url = params[:url]
file = params[:file] || params[:files]&.first
pasted = params[:pasted] == "true"
for_private_message = params[:for_private_message] == "true"
FEATURE: Upload Site Settings. (#6573)
2018-11-14 15:03:02 +08:00
for_site_setting = params[:for_site_setting] == "true"
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
is_api = is_api?
retain_hours = params[:retain_hours].to_i
# note, atm hijack is processed in its own context and has not access to controller
# longer term we may change this
hijack do
FIX: catch all server-side error when uploading a file UX: always show a message to the user whenever an error happens on the server when uploading a file
2017-12-27 23:33:25 +08:00
begin
info =
UploadsController.create_upload(
current_user: me,
file: file,
url: url,
type: type,
for_private_message: for_private_message,
FEATURE: Upload Site Settings. (#6573)
2018-11-14 15:03:02 +08:00
for_site_setting: for_site_setting,
FIX: catch all server-side error when uploading a file UX: always show a message to the user whenever an error happens on the server when uploading a file
2017-12-27 23:33:25 +08:00
pasted: pasted,
is_api: is_api,
retain_hours: retain_hours,
)
rescue => e
render json: failed_json.merge(message: e.message&.split("\n")&.first), status: 422
else
render json: UploadsController.serialize_upload(info), status: Upload === info ? 200 : 422
end
FEATURE: api support for arbitrary unlinked assets admins can set retain periods for assets
2014-09-23 13:50:26 +08:00
end
Initial release of Discourse
2013-02-06 03:16:51 +08:00
end
fix image uploads on s3/imgur
2013-06-05 06:34:53 +08:00
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-23 04:40:01 +08:00
def lookup_urls
params.permit(short_urls: [])
uploads = []
if (params[:short_urls] && params[:short_urls].length > 0)
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
PrettyText::Helpers
.lookup_upload_urls(params[:short_urls])
.each do |short_url, paths|
uploads << { short_url: short_url, url: paths[:url], short_path: paths[:short_path] }
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-23 04:40:01 +08:00
end
end
render json: uploads.to_json
end
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
def show
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 22:02:55 +08:00
# do not serve uploads requested via XHR to prevent XSS
DEV: Respond with error 400 to uploads requested via XHR follow-up to 13f38055
2019-06-27 17:13:44 +08:00
return xhr_not_allowed if request.xhr?
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 22:02:55 +08:00
BUGFIX: 500 error on some invalid uploads
2014-05-14 08:51:09 +08:00
return render_404 if !RailsMultisite::ConnectionManagement.has_db?(params[:site])
BUGFIX: attachments bust under multisite
2014-03-25 07:37:31 +08:00
RailsMultisite::ConnectionManagement.with_connection(params[:site]) do |db|
FEATURE: new 'prevent anons from download files' site setting
2014-09-10 00:40:11 +08:00
return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
fix the build
2015-05-20 21:32:31 +08:00
if upload =
Upload.find_by(sha1: params[:sha]) ||
Upload.find_by(id: params[:id], url: request.env["PATH_INFO"])
FIX: return 404 only if upload url also not internal.
2019-05-15 04:36:54 +08:00
unless Discourse.store.internal?
local_store = FileStore::LocalStore.new
return render_404 unless local_store.has_been_uploaded?(upload.url)
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
send_file_local_upload(upload)
else
render_404
end
end
end
FIX: Better error handling if a file cannot be sent If for some reason `Discourse.store.path_for` returns `nil`, the forum would throw an error rather than returning 404. Why would it be `nil`? One cause could be changing the type of file store and having the `url` field no longer be relative.
2019-01-30 05:47:25 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
def show_short
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 22:02:55 +08:00
# do not serve uploads requested via XHR to prevent XSS
DEV: Respond with error 400 to uploads requested via XHR follow-up to 13f38055
2019-06-27 17:13:44 +08:00
return xhr_not_allowed if request.xhr?
SECURITY: XSS in routes Co-authored-by: Guo Xiang Tan <tgx_world@hotmail.com> Co-authored-by: David Taylor <david@taylorhq.com>
2019-06-26 22:02:55 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD. (#7603)
2019-05-28 23:18:21 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
sha1 = Upload.sha1_from_base62_encoded(params[:base62])
if upload = Upload.find_by(sha1: sha1)
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
return handle_secure_upload_request(upload) if upload.secure? && SiteSetting.secure_uploads?
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
if Discourse.store.internal?
send_file_local_upload(upload)
FEATURE: support email attachments
2014-04-15 04:55:57 +08:00
else
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 22:28:52 +08:00
redirect_to Discourse.store.url_for(upload, force_download: force_download?),
allow_other_host: true
FEATURE: support email attachments
2014-04-15 04:55:57 +08:00
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
else
render_404
BUGFIX: attachments bust under multisite
2014-03-25 07:37:31 +08:00
end
proper content-disposition header when downloading attachments
2013-09-07 01:18:42 +08:00
end
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
# Kept to avoid rebaking old posts with /show-secure-uploads/ in their
# contents, this will ensure the uploads in these posts continue to
# work in future.
def _show_secure_deprecated
show_secure
end
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
def show_secure
# do not serve uploads requested via XHR to prevent XSS
return xhr_not_allowed if request.xhr?
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
path_with_ext = "#{params[:path]}.#{params[:extension]}"
DEV: Add SecureUploadEndpointHelpers for controllers (#25758) This commit moves some code out of UploadController#show_secure so it can be reused in other controllers if a secure upload needs to have permission checks run.
2024-02-20 09:19:22 +08:00
upload = upload_from_path_and_extension(path_with_ext)
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
return render_404 if upload.blank?
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
FIX: Change secure media to encompass attachments as well (#9271) If the “secure media” site setting is enabled then ALL files uploaded to Discourse (images, video, audio, pdf, txt, zip etc. etc.) will follow the secure media rules. The “prevent anons from downloading files” setting will no longer have any bearing on upload security. Basically, the feature will more appropriately be called “secure uploads” instead of “secure media”. This is being done because there are communities out there that would like all attachments and media to be secure based on category rules but still allow anonymous users to download attachments in public places, which is not possible in the current arrangement.
2020-03-26 05:16:02 +08:00
return render_404 if SiteSetting.prevent_anons_from_downloading_files && current_user.nil?
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
return handle_secure_upload_request(upload, path_with_ext) if SiteSetting.secure_uploads?
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
DEV: Rename secure_media to secure_uploads (#18376) This commit renames all secure_media related settings to secure_uploads_* along with the associated functionality. This is being done because "media" does not really cover it, we aren't just doing this for images and videos etc. but for all uploads in the site. Additionally, in future we want to secure more types of uploads, and enable a kind of "mixed mode" where some uploads are secure and some are not, so keeping media in the name is just confusing. This also keeps compatibility with the `secure-media-uploads` path, and changes new secure URLs to be `secure-uploads`. Deprecated settings: * secure_media -> secure_uploads * secure_media_allow_embed_images_in_emails -> secure_uploads_allow_embed_images_in_emails * secure_media_max_email_embed_image_size_kb -> secure_uploads_max_email_embed_image_size_kb
2022-09-29 07:24:33 +08:00
# we don't want to 404 here if secure uploads gets disabled
FEATURE: Add rake task to disable secure media (#8669) * Add a rake task to disable secure media. This sets all uploads to `secure: false`, changes the upload ACL to public, and rebakes all the posts using the uploads to make sure they point to the correct URLs. This is in a transaction for each upload with the upload being updated the last step, so if the task fails it can be resumed. * Also allow viewing media via the secure url if secure media is disabled, redirecting to the normal CDN url, because otherwise media links will be broken while we go and rebake all the posts + update ACLs
2020-01-07 10:27:24 +08:00
# because all posts with secure uploads will show broken media
# until rebaked, which could take some time
Still redirect to signed URL for secure uploads if SiteSetting.secure_media is disabled we still want to redirect to the signed url for uploads that are marked as secure because their ACLs are probably still private
2020-01-07 12:02:17 +08:00
#
# if the upload is still secure, that means the ACL is probably still
# private, so we don't want to go to the CDN url just yet otherwise we
# will get a 403. if the upload is not secure we assume the ACL is public
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-16 09:54:14 +08:00
signed_secure_url = Discourse.store.signed_url_for_path(path_with_ext)
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 22:28:52 +08:00
redirect_to upload.secure? ? signed_secure_url : Discourse.store.cdn_url(upload.url),
allow_other_host: true
FEATURE: Add support for secure media (#7888) This PR introduces a new secure media setting. When enabled, it prevent unathorized access to media uploads (files of type image, video and audio). When the `login_required` setting is enabled, then all media uploads will be protected from unauthorized (anonymous) access. When `login_required`is disabled, only media in private messages will be protected from unauthorized access. A few notes: - the `prevent_anons_from_downloading_files` setting no longer applies to audio and video uploads - the `secure_media` setting can only be enabled if S3 uploads are already enabled and configured - upload records have a new column, `secure`, which is a boolean `true/false` of the upload's secure status - when creating a public post with an upload that has already been uploaded and is marked as secure, the post creator will raise an error - when enabling or disabling the setting on a site with existing uploads, the rake task `uploads:ensure_correct_acl` should be used to update all uploads' secure status and their ACL on S3
2019-11-18 09:25:42 +08:00
end
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-16 09:54:14 +08:00
def handle_secure_upload_request(upload, path_with_ext = nil)
DEV: Add SecureUploadEndpointHelpers for controllers (#25758) This commit moves some code out of UploadController#show_secure so it can be reused in other controllers if a secure upload needs to have permission checks run.
2024-02-20 09:19:22 +08:00
check_secure_upload_permission(upload)
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-03 11:42:36 +08:00
# defaults to public: false, so only cached by the client browser
FEATURE: Make S3 presigned GET URL expiry configurable (#16912) Previously we hardcoded the DOWNLOAD_URL_EXPIRES_AFTER_SECONDS const inside S3Helper to be 5 minutes (300 seconds). For various reasons, some hosted sites may need this to be longer for other integrations. The maximum expiry time for presigned URLs is 1 week (which is 604800 seconds), so that has been added as a validation on the setting as well. The setting is hidden because 99% of the time it should not be changed.
2022-05-26 07:53:01 +08:00
cache_seconds =
SiteSetting.s3_presigned_get_url_expires_after_seconds - SECURE_REDIRECT_GRACE_SECONDS
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-03 11:42:36 +08:00
expires_in cache_seconds.seconds
UX: Allow secure media URLs to be cached for a short period of time Signed S3 URLs are valid for 15 seconds, so we can safely allow the browser to cache them for 10 seconds. This should help with large numbers of requests when composing a post with many images.
2020-05-18 22:00:41 +08:00
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-16 09:54:14 +08:00
# url_for figures out the full URL, handling multisite DBs,
# and will return a presigned URL for the upload
if path_with_ext.blank?
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 22:28:52 +08:00
return(
redirect_to Discourse.store.url_for(upload, force_download: force_download?),
allow_other_host: true
DEV: Apply syntax_tree formatting to `app/*`
2023-01-09 20:20:10 +08:00
)
FIX: Ensure show_short URLs handle secure uploads using multisite (#9212) Meta report: https://meta.discourse.org/t/short-url-secure-uploads-s3/144224 * if the show_short route is hit for an upload that is secure, we redirect to the secure presigned URL. however this was not taking into account multisite so the db name was left off the path which broke the presigned URL * we now use the correct url_for method if we know the upload (like in the show_short case) which takes into account multisite
2020-03-16 09:54:14 +08:00
end
FIX: Increase time of DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes (#10160) * Change S3Helper::DOWNLOAD_URL_EXPIRES_AFTER_SECONDS to 5 minutes, which controls presigned URL expiry and secure-media route cache time. * This is done because of the composer preview refreshing while typing causes a lot of requests sent to our server because of the short URL expiry. If this ends up being not enough we can always increase the time or explore other avenues (e.g. GitHub has a 7 day validity for secure URLs)
2020-07-03 11:42:36 +08:00
redirect_to Discourse.store.signed_url_for_path(
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-29 10:12:03 +08:00
path_with_ext,
FEATURE: Make S3 presigned GET URL expiry configurable (#16912) Previously we hardcoded the DOWNLOAD_URL_EXPIRES_AFTER_SECONDS const inside S3Helper to be 5 minutes (300 seconds). For various reasons, some hosted sites may need this to be longer for other integrations. The maximum expiry time for presigned URLs is 1 week (which is 604800 seconds), so that has been added as a validation on the setting as well. The setting is hidden because 99% of the time it should not be changed.
2022-05-26 07:53:01 +08:00
expires_in: SiteSetting.s3_presigned_get_url_expires_after_seconds,
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-29 10:12:03 +08:00
force_download: force_download?,
DEV: Upgrade to Rails 7 This patch upgrades Rails to version 7.0.2.4.
2022-03-21 22:28:52 +08:00
),
allow_other_host: true
FEATURE: Secure media allowing duplicated uploads with category-level privacy and post-based access rules (#8664) ### General Changes and Duplication * We now consider a post `with_secure_media?` if it is in a read-restricted category. * When uploading we now set an upload's secure status straight away. * When uploading if `SiteSetting.secure_media` is enabled, we do not check to see if the upload already exists using the `sha1` digest of the upload. The `sha1` column of the upload is filled with a `SecureRandom.hex(20)` value which is the same length as `Upload::SHA1_LENGTH`. The `original_sha1` column is filled with the _real_ sha1 digest of the file. * Whether an upload `should_be_secure?` is now determined by whether the `access_control_post` is `with_secure_media?` (if there is no access control post then we leave the secure status as is). * When serializing the upload, we now cook the URL if the upload is secure. This is so it shows up correctly in the composer preview, because we set secure status on upload. ### Viewing Secure Media * The secure-media-upload URL will take the post that the upload is attached to into account via `Guardian.can_see?` for access permissions * If there is no `access_control_post` then we just deliver the media. This should be a rare occurrance and shouldn't cause issues as the `access_control_post` is set when `link_post_uploads` is called via `CookedPostProcessor` ### Removed We no longer do any of these because we do not reuse uploads by sha1 if secure media is enabled. * We no longer have a way to prevent cross-posting of a secure upload from a private context to a public context. * We no longer have to set `secure: false` for uploads when uploading for a theme component.
2020-01-16 11:50:27 +08:00
end
UX: Lightbox support for image uploader. (#7034)
2019-02-21 10:13:37 +08:00
def metadata
params.require(:url)
upload = Upload.get_from_url(params[:url])
raise Discourse::NotFound unless upload
render json: {
original_filename: upload.original_filename,
width: upload.width,
height: upload.height,
human_filesize: upload.human_filesize,
}
end
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
protected
FEATURE: Initial implementation of direct S3 uploads with uppy and stubs (#13787) This adds a few different things to allow for direct S3 uploads using uppy. **These changes are still not the default.** There are hidden `enable_experimental_image_uploader` and `enable_direct_s3_uploads` settings that must be turned on for any of this code to be used, and even if they are turned on only the User Card Background for the user profile actually uses uppy-image-uploader. A new `ExternalUploadStub` model and database table is introduced in this pull request. This is used to keep track of uploads that are uploaded to a temporary location in S3 with the direct to S3 code, and they are eventually deleted a) when the direct upload is completed and b) after a certain time period of not being used. ### Starting a direct S3 upload When an S3 direct upload is initiated with uppy, we first request a presigned PUT URL from the new `generate-presigned-put` endpoint in `UploadsController`. This generates an S3 key in the `temp` folder inside the correct bucket path, along with any metadata from the clientside (e.g. the SHA1 checksum described below). This will also create an `ExternalUploadStub` and store the details of the temp object key and the file being uploaded. Once the clientside has this URL, uppy will upload the file direct to S3 using the presigned URL. Once the upload is complete we go to the next stage. ### Completing a direct S3 upload Once the upload to S3 is done we call the new `complete-external-upload` route with the unique identifier of the `ExternalUploadStub` created earlier. Only the user who made the stub can complete the external upload. One of two paths is followed via the `ExternalUploadManager`. 1. If the object in S3 is too large (currently 100mb defined by `ExternalUploadManager::DOWNLOAD_LIMIT`) we do not download and generate the SHA1 for that file. Instead we create the `Upload` record via `UploadCreator` and simply copy it to its final destination on S3 then delete the initial temp file. Several modifications to `UploadCreator` have been made to accommodate this. 2. If the object in S3 is small enough, we download it. When the temporary S3 file is downloaded, we compare the SHA1 checksum generated by the browser with the actual SHA1 checksum of the file generated by ruby. The browser SHA1 checksum is stored on the object in S3 with metadata, and is generated via the `UppyChecksum` plugin. Keep in mind that some browsers will not generate this due to compatibility or other issues. We then follow the normal `UploadCreator` path with one exception. To cut down on having to re-upload the file again, if there are no changes (such as resizing etc) to the file in `UploadCreator` we follow the same copy + delete temp path that we do for files that are too large. 3. Finally we return the serialized upload record back to the client There are several errors that could happen that are handled by `UploadsController` as well. Also in this PR is some refactoring of `displayErrorForUpload` to handle both uppy and jquery file uploader errors.
2021-07-28 06:42:25 +08:00
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
def validate_before_create_multipart(file_name:, file_size:, upload_type:)
validate_file_size(file_name: file_name, file_size: file_size)
FEATURE: Uppy direct S3 multipart uploads in composer (#14051) This pull request introduces the endpoints required, and the JavaScript functionality in the `ComposerUppyUpload` mixin, for direct S3 multipart uploads. There are four new endpoints in the uploads controller: * `create-multipart.json` - Creates the multipart upload in S3 along with an `ExternalUploadStub` record, storing information about the file in the same way as `generate-presigned-put.json` does for regular direct S3 uploads * `batch-presign-multipart-parts.json` - Takes a list of part numbers and the unique identifier for an `ExternalUploadStub` record, and generates the presigned URLs for those parts if the multipart upload still exists and if the user has permission to access that upload * `complete-multipart.json` - Completes the multipart upload in S3. Needs the full list of part numbers and their associated ETags which are returned when the part is uploaded to the presigned URL above. Only works if the user has permission to access the associated `ExternalUploadStub` record and the multipart upload still exists. After we confirm the upload is complete in S3, we go through the regular `UploadCreator` flow, the same as `complete-external-upload.json`, and promote the temporary upload S3 into a full `Upload` record, moving it to its final destination. * `abort-multipart.json` - Aborts the multipart upload on S3 and destroys the `ExternalUploadStub` record if the user has permission to access that upload. Also added are a few new columns to `ExternalUploadStub`: * multipart - Whether or not this is a multipart upload * external_upload_identifier - The "upload ID" for an S3 multipart upload * filesize - The size of the file when the `create-multipart.json` or `generate-presigned-put.json` is called. This is used for validation. When the user completes a direct S3 upload, either regular or multipart, we take the `filesize` that was captured when the `ExternalUploadStub` was first created and compare it with the final `Content-Length` size of the file where it is stored in S3. Then, if the two do not match, we throw an error, delete the file on S3, and ban the user from uploading files for N (default 5) minutes. This would only happen if the user uploads a different file than what they first specified, or in the case of multipart uploads uploaded larger chunks than needed. This is done to prevent abuse of S3 storage by bad actors. Also included in this PR is an update to vendor/uppy.js. This has been built locally from the latest uppy source at https://github.com/transloadit/uppy/commit/d613b849a6591083f8a0968aa8d66537e231bbcd. This must be done so that I can get my multipart upload changes into Discourse. When the Uppy team cuts a proper release, we can bump the package.json versions instead.
2021-08-25 06:46:54 +08:00
end
FEATURE: Initial implementation of direct S3 uploads with uppy and stubs (#13787) This adds a few different things to allow for direct S3 uploads using uppy. **These changes are still not the default.** There are hidden `enable_experimental_image_uploader` and `enable_direct_s3_uploads` settings that must be turned on for any of this code to be used, and even if they are turned on only the User Card Background for the user profile actually uses uppy-image-uploader. A new `ExternalUploadStub` model and database table is introduced in this pull request. This is used to keep track of uploads that are uploaded to a temporary location in S3 with the direct to S3 code, and they are eventually deleted a) when the direct upload is completed and b) after a certain time period of not being used. ### Starting a direct S3 upload When an S3 direct upload is initiated with uppy, we first request a presigned PUT URL from the new `generate-presigned-put` endpoint in `UploadsController`. This generates an S3 key in the `temp` folder inside the correct bucket path, along with any metadata from the clientside (e.g. the SHA1 checksum described below). This will also create an `ExternalUploadStub` and store the details of the temp object key and the file being uploaded. Once the clientside has this URL, uppy will upload the file direct to S3 using the presigned URL. Once the upload is complete we go to the next stage. ### Completing a direct S3 upload Once the upload to S3 is done we call the new `complete-external-upload` route with the unique identifier of the `ExternalUploadStub` created earlier. Only the user who made the stub can complete the external upload. One of two paths is followed via the `ExternalUploadManager`. 1. If the object in S3 is too large (currently 100mb defined by `ExternalUploadManager::DOWNLOAD_LIMIT`) we do not download and generate the SHA1 for that file. Instead we create the `Upload` record via `UploadCreator` and simply copy it to its final destination on S3 then delete the initial temp file. Several modifications to `UploadCreator` have been made to accommodate this. 2. If the object in S3 is small enough, we download it. When the temporary S3 file is downloaded, we compare the SHA1 checksum generated by the browser with the actual SHA1 checksum of the file generated by ruby. The browser SHA1 checksum is stored on the object in S3 with metadata, and is generated via the `UppyChecksum` plugin. Keep in mind that some browsers will not generate this due to compatibility or other issues. We then follow the normal `UploadCreator` path with one exception. To cut down on having to re-upload the file again, if there are no changes (such as resizing etc) to the file in `UploadCreator` we follow the same copy + delete temp path that we do for files that are too large. 3. Finally we return the serialized upload record back to the client There are several errors that could happen that are handled by `UploadsController` as well. Also in this PR is some refactoring of `displayErrorForUpload` to handle both uppy and jquery file uploader errors.
2021-07-28 06:42:25 +08:00
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
def validate_before_create_direct_upload(file_name:, file_size:, upload_type:)
validate_file_size(file_name: file_name, file_size: file_size)
FEATURE: Initial implementation of direct S3 uploads with uppy and stubs (#13787) This adds a few different things to allow for direct S3 uploads using uppy. **These changes are still not the default.** There are hidden `enable_experimental_image_uploader` and `enable_direct_s3_uploads` settings that must be turned on for any of this code to be used, and even if they are turned on only the User Card Background for the user profile actually uses uppy-image-uploader. A new `ExternalUploadStub` model and database table is introduced in this pull request. This is used to keep track of uploads that are uploaded to a temporary location in S3 with the direct to S3 code, and they are eventually deleted a) when the direct upload is completed and b) after a certain time period of not being used. ### Starting a direct S3 upload When an S3 direct upload is initiated with uppy, we first request a presigned PUT URL from the new `generate-presigned-put` endpoint in `UploadsController`. This generates an S3 key in the `temp` folder inside the correct bucket path, along with any metadata from the clientside (e.g. the SHA1 checksum described below). This will also create an `ExternalUploadStub` and store the details of the temp object key and the file being uploaded. Once the clientside has this URL, uppy will upload the file direct to S3 using the presigned URL. Once the upload is complete we go to the next stage. ### Completing a direct S3 upload Once the upload to S3 is done we call the new `complete-external-upload` route with the unique identifier of the `ExternalUploadStub` created earlier. Only the user who made the stub can complete the external upload. One of two paths is followed via the `ExternalUploadManager`. 1. If the object in S3 is too large (currently 100mb defined by `ExternalUploadManager::DOWNLOAD_LIMIT`) we do not download and generate the SHA1 for that file. Instead we create the `Upload` record via `UploadCreator` and simply copy it to its final destination on S3 then delete the initial temp file. Several modifications to `UploadCreator` have been made to accommodate this. 2. If the object in S3 is small enough, we download it. When the temporary S3 file is downloaded, we compare the SHA1 checksum generated by the browser with the actual SHA1 checksum of the file generated by ruby. The browser SHA1 checksum is stored on the object in S3 with metadata, and is generated via the `UppyChecksum` plugin. Keep in mind that some browsers will not generate this due to compatibility or other issues. We then follow the normal `UploadCreator` path with one exception. To cut down on having to re-upload the file again, if there are no changes (such as resizing etc) to the file in `UploadCreator` we follow the same copy + delete temp path that we do for files that are too large. 3. Finally we return the serialized upload record back to the client There are several errors that could happen that are handled by `UploadsController` as well. Also in this PR is some refactoring of `displayErrorForUpload` to handle both uppy and jquery file uploader errors.
2021-07-28 06:42:25 +08:00
end
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
def validate_file_size(file_name:, file_size:)
FIX: Better 0 file size detection and logging (#16116) When creating files with create-multipart, if the file size was somehow zero we were showing a very unhelpful error message to the user. Now we show a nicer message, and proactively don't call the API if we know the file size is 0 bytes in JS, along with extra console logging to help with debugging.
2022-03-07 10:39:33 +08:00
raise ExternalUploadValidationError.new(I18n.t("upload.size_zero_failure")) if file_size.zero?
FIX: Show gif upload size limit error straight away (#21633) When uploading images via direct to S3 upload, we were assuming that we could not pre-emptively check the file size because the client may do preprocessing to reduce the size, and UploadCreator could also further reduce the size. This, however, is not true of gifs, so we would have an issue where you upload a gif > the max_image_size_kb setting and had to wait until the upload completed for this error to show. Now, instead, when we direct upload gifs to S3, we check the size straight away and present a file size error to the user rather than making them wait. This will increase meme efficiency by approximately 1000%.
2023-05-18 16:36:34 +08:00
if attachment_too_big?(file_name, file_size)
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
raise ExternalUploadValidationError.new(
I18n.t(
"upload.attachments.too_large_humanized",
max_size:
ActiveSupport::NumberHelper.number_to_human_size(
FEATURE: add `system_user_max_attachment_size_kb` site setting (#28351) * System user attachment size WIP * spec check * controller update * add max to system_user_max_attachment_size_kb * DEV: update to use static method for `max_attachment_size_for_user` add test to use large image. add check for failure. * DEV: update `system_user_max_attachment_size_kb` default value to 0 remove unecessary test. update tests to reflect the new default value of `system_user_max_attachment_size_kb` * DEV: update maximum_file_size to check when is an attachment made by a system user Add tests for when `system_user_max_attachment_size_kb` is over and under the limit Add test for checking interaction with `max_attachment_size_kb` * DEV: move `max_attachment_size_for_user` to private methods * DEV: turn `max_attachment_size_for_user` into a static method * DEV: typo in test case * DEV: move max_attachment_size_for_user to private class method * Revert "DEV: move max_attachment_size_for_user to private class method" This reverts commit 5d5ae0b715de7c3453dc1392df299ef3bb58990c. --------- Co-authored-by: Gabriel Grubba <gabriel@discourse.org>
2024-08-16 22:03:39 +08:00
UploadsController.max_attachment_size_for_user(current_user).kilobytes,
FEATURE: Direct S3 multipart uploads for backups (#14736) This PR introduces a new `enable_experimental_backup_uploads` site setting (default false and hidden), which when enabled alongside `enable_direct_s3_uploads` will allow for direct S3 multipart uploads of backup .tar.gz files. To make multipart external uploads work with both the S3BackupStore and the S3Store, I've had to move several methods out of S3Store and into S3Helper, including: * presigned_url * create_multipart * abort_multipart * complete_multipart * presign_multipart_part * list_multipart_parts Then, S3Store and S3BackupStore either delegate directly to S3Helper or have their own special methods to call S3Helper for these methods. FileStore.temporary_upload_path has also removed its dependence on upload_path, and can now be used interchangeably between the stores. A similar change was made in the frontend as well, moving the multipart related JS code out of ComposerUppyUpload and into a mixin of its own, so it can also be used by UppyUploadMixin. Some changes to ExternalUploadManager had to be made here as well. The backup direct uploads do not need an Upload record made for them in the database, so they can be moved to their final S3 resting place when completing the multipart upload. This changeset is not perfect; it introduces some special cases in UploadController to handle backups that was previously in BackupController, because UploadController is where the multipart routes are located. A subsequent pull request will pull these routes into a module or some other sharing pattern, along with hooks, so the backup controller and the upload controller (and any future controllers that may need them) can include these routes in a nicer way.
2021-11-11 06:25:31 +08:00
),
DEV: Apply syntax_tree formatting to `app/*`
2023-01-09 20:20:10 +08:00
),
FEATURE: Direct S3 multipart uploads for backups (#14736) This PR introduces a new `enable_experimental_backup_uploads` site setting (default false and hidden), which when enabled alongside `enable_direct_s3_uploads` will allow for direct S3 multipart uploads of backup .tar.gz files. To make multipart external uploads work with both the S3BackupStore and the S3Store, I've had to move several methods out of S3Store and into S3Helper, including: * presigned_url * create_multipart * abort_multipart * complete_multipart * presign_multipart_part * list_multipart_parts Then, S3Store and S3BackupStore either delegate directly to S3Helper or have their own special methods to call S3Helper for these methods. FileStore.temporary_upload_path has also removed its dependence on upload_path, and can now be used interchangeably between the stores. A similar change was made in the frontend as well, moving the multipart related JS code out of ComposerUppyUpload and into a mixin of its own, so it can also be used by UppyUploadMixin. Some changes to ExternalUploadManager had to be made here as well. The backup direct uploads do not need an Upload record made for them in the database, so they can be moved to their final S3 resting place when completing the multipart upload. This changeset is not perfect; it introduces some special cases in UploadController to handle backups that was previously in BackupController, because UploadController is where the multipart routes are located. A subsequent pull request will pull these routes into a module or some other sharing pattern, along with hooks, so the backup controller and the upload controller (and any future controllers that may need them) can include these routes in a nicer way.
2021-11-11 06:25:31 +08:00
)
FEATURE: Uppy direct S3 multipart uploads in composer (#14051) This pull request introduces the endpoints required, and the JavaScript functionality in the `ComposerUppyUpload` mixin, for direct S3 multipart uploads. There are four new endpoints in the uploads controller: * `create-multipart.json` - Creates the multipart upload in S3 along with an `ExternalUploadStub` record, storing information about the file in the same way as `generate-presigned-put.json` does for regular direct S3 uploads * `batch-presign-multipart-parts.json` - Takes a list of part numbers and the unique identifier for an `ExternalUploadStub` record, and generates the presigned URLs for those parts if the multipart upload still exists and if the user has permission to access that upload * `complete-multipart.json` - Completes the multipart upload in S3. Needs the full list of part numbers and their associated ETags which are returned when the part is uploaded to the presigned URL above. Only works if the user has permission to access the associated `ExternalUploadStub` record and the multipart upload still exists. After we confirm the upload is complete in S3, we go through the regular `UploadCreator` flow, the same as `complete-external-upload.json`, and promote the temporary upload S3 into a full `Upload` record, moving it to its final destination. * `abort-multipart.json` - Aborts the multipart upload on S3 and destroys the `ExternalUploadStub` record if the user has permission to access that upload. Also added are a few new columns to `ExternalUploadStub`: * multipart - Whether or not this is a multipart upload * external_upload_identifier - The "upload ID" for an S3 multipart upload * filesize - The size of the file when the `create-multipart.json` or `generate-presigned-put.json` is called. This is used for validation. When the user completes a direct S3 upload, either regular or multipart, we take the `filesize` that was captured when the `ExternalUploadStub` was first created and compare it with the final `Content-Length` size of the file where it is stored in S3. Then, if the two do not match, we throw an error, delete the file on S3, and ban the user from uploading files for N (default 5) minutes. This would only happen if the user uploads a different file than what they first specified, or in the case of multipart uploads uploaded larger chunks than needed. This is done to prevent abuse of S3 storage by bad actors. Also included in this PR is an update to vendor/uppy.js. This has been built locally from the latest uppy source at https://github.com/transloadit/uppy/commit/d613b849a6591083f8a0968aa8d66537e231bbcd. This must be done so that I can get my multipart upload changes into Discourse. When the Uppy team cuts a proper release, we can bump the package.json versions instead.
2021-08-25 06:46:54 +08:00
end
FIX: Show gif upload size limit error straight away (#21633) When uploading images via direct to S3 upload, we were assuming that we could not pre-emptively check the file size because the client may do preprocessing to reduce the size, and UploadCreator could also further reduce the size. This, however, is not true of gifs, so we would have an issue where you upload a gif > the max_image_size_kb setting and had to wait until the upload completed for this error to show. Now, instead, when we direct upload gifs to S3, we check the size straight away and present a file size error to the user rather than making them wait. This will increase meme efficiency by approximately 1000%.
2023-05-18 16:36:34 +08:00
if image_too_big?(file_name, file_size)
raise ExternalUploadValidationError.new(
I18n.t(
"upload.images.too_large_humanized",
max_size:
ActiveSupport::NumberHelper.number_to_human_size(
SiteSetting.max_image_size_kb.kilobytes,
),
),
)
end
FEATURE: Direct S3 multipart uploads for backups (#14736) This PR introduces a new `enable_experimental_backup_uploads` site setting (default false and hidden), which when enabled alongside `enable_direct_s3_uploads` will allow for direct S3 multipart uploads of backup .tar.gz files. To make multipart external uploads work with both the S3BackupStore and the S3Store, I've had to move several methods out of S3Store and into S3Helper, including: * presigned_url * create_multipart * abort_multipart * complete_multipart * presign_multipart_part * list_multipart_parts Then, S3Store and S3BackupStore either delegate directly to S3Helper or have their own special methods to call S3Helper for these methods. FileStore.temporary_upload_path has also removed its dependence on upload_path, and can now be used interchangeably between the stores. A similar change was made in the frontend as well, moving the multipart related JS code out of ComposerUppyUpload and into a mixin of its own, so it can also be used by UppyUploadMixin. Some changes to ExternalUploadManager had to be made here as well. The backup direct uploads do not need an Upload record made for them in the database, so they can be moved to their final S3 resting place when completing the multipart upload. This changeset is not perfect; it introduces some special cases in UploadController to handle backups that was previously in BackupController, because UploadController is where the multipart routes are located. A subsequent pull request will pull these routes into a module or some other sharing pattern, along with hooks, so the backup controller and the upload controller (and any future controllers that may need them) can include these routes in a nicer way.
2021-11-11 06:25:31 +08:00
end
FIX: Respect force download when downloading secure media via lightbox (#10769) The download link on the lightbox for images was not downloading the image if the upload was marked secure, because the code in the upload controller route was not respecting the dl=1 param for force download. This PR fixes this so the download link works for secure images as well as regular ligthboxed images.
2020-09-29 10:12:03 +08:00
def force_download?
params[:dl] == "1"
end
DEV: Respond with error 400 to uploads requested via XHR follow-up to 13f38055
2019-06-27 17:13:44 +08:00
def xhr_not_allowed
raise Discourse::InvalidParameters.new("XHR not allowed")
end
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
def self.serialize_upload(data)
FEATURE: image uploads now have short urls Shorten all image uploads to use short urls, this is the client side implementation.
2017-08-23 04:40:01 +08:00
# as_json.as_json is not a typo... as_json in AM serializer returns keys as symbols, we need them
# as strings here
serialized = UploadSerializer.new(data, root: nil).as_json.as_json if Upload === data
serialized ||= (data || {}).as_json
end
FEATURE: Upload Site Settings. (#6573)
2018-11-14 15:03:02 +08:00
def self.create_upload(
current_user:,
file:,
url:,
type:,
for_private_message:,
for_site_setting:,
pasted:,
is_api:,
retain_hours:
)
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
if file.nil?
FEATURE: uploads are processed a faster Also cleans up API to always return 422 on upload error. (previously returned 200) Uploads are processed using new hijack pattern
2017-11-27 09:43:18 +08:00
if url.present? && is_api
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
maximum_upload_size = [
SiteSetting.max_image_size_kb,
FEATURE: add `system_user_max_attachment_size_kb` site setting (#28351) * System user attachment size WIP * spec check * controller update * add max to system_user_max_attachment_size_kb * DEV: update to use static method for `max_attachment_size_for_user` add test to use large image. add check for failure. * DEV: update `system_user_max_attachment_size_kb` default value to 0 remove unecessary test. update tests to reflect the new default value of `system_user_max_attachment_size_kb` * DEV: update maximum_file_size to check when is an attachment made by a system user Add tests for when `system_user_max_attachment_size_kb` is over and under the limit Add test for checking interaction with `max_attachment_size_kb` * DEV: move `max_attachment_size_for_user` to private methods * DEV: turn `max_attachment_size_for_user` into a static method * DEV: typo in test case * DEV: move max_attachment_size_for_user to private class method * Revert "DEV: move max_attachment_size_for_user to private class method" This reverts commit 5d5ae0b715de7c3453dc1392df299ef3bb58990c. --------- Co-authored-by: Gabriel Grubba <gabriel@discourse.org>
2024-08-16 22:03:39 +08:00
UploadsController.max_attachment_size_for_user(current_user),
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
].max.kilobytes
Refactor `FileHelper` to use keyword arguments.
2017-05-25 01:42:52 +08:00
tempfile =
DEV: Apply syntax_tree formatting to `app/*`
2023-01-09 20:20:10 +08:00
begin
Refactor `FileHelper` to use keyword arguments.
2017-05-25 01:42:52 +08:00
FileHelper.download(
url,
FIX: ensure we can download maxmind without redis or db config This also corrects FileHelper.download so it supports "follow_redirect" correctly (it used to always follow 1 redirect) and adds a `validate_url` param that will bypass all uri validation if set to false (default is true)
2019-05-28 08:28:57 +08:00
follow_redirect: true,
Refactor `FileHelper` to use keyword arguments.
2017-05-25 01:42:52 +08:00
max_file_size: maximum_upload_size,
tmp_file_name: "discourse-upload-#{type}",
)
rescue StandardError
nil
DEV: Apply syntax_tree formatting to `app/*`
2023-01-09 20:20:10 +08:00
end
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
filename = File.basename(URI.parse(url).path)
FEATURE: automatically downsize large images
2015-08-13 00:33:13 +08:00
end
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
else
tempfile = file.tempfile
filename = file.original_filename
end
FEATURE: automatically downsize large images
2015-08-13 00:33:13 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
return { errors: [I18n.t("upload.file_missing")] } if tempfile.nil?
FEATURE: allow API to upload files synchronously
2015-06-15 22:12:15 +08:00
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 18:13:48 +08:00
opts = {
type: type,
for_private_message: for_private_message,
FEATURE: Upload Site Settings. (#6573)
2018-11-14 15:03:02 +08:00
for_site_setting: for_site_setting,
FIX: always try to convert PNG to JPG when pasting an image
2017-06-23 18:13:48 +08:00
pasted: pasted,
}
FEATURE: new 'allow_staff_to_upload_any_file_in_pm' site setting
2017-06-13 04:41:29 +08:00
upload = UploadCreator.new(tempfile, filename, opts).create_for(current_user.id)
FEATURE: allow API to upload files synchronously
2015-06-15 22:12:15 +08:00
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
if upload.errors.empty? && current_user.admin?
upload.update_columns(retain_hours: retain_hours) if retain_hours > 0
FEATURE: allow API to upload files synchronously
2015-06-15 22:12:15 +08:00
end
DEV: Add support for Rails 6 Minor fixes to add Rails 6 support to Discourse, we now will boot with RAILS_MASTER=1, all specs pass Only one tiny deprecation left Largest change was the way ActiveModel:Errors changed interface a bit but there is a simple backwards compat way of working it
2019-04-30 14:58:18 +08:00
upload.errors.empty? ? upload : { errors: upload.errors.to_hash.values.flatten }
REFACTOR: upload workflow creation into UploadCreator - Automatically convert large-ish PNG/BMP to JPEG - Updated fast_image to latest version
2017-05-11 06:16:57 +08:00
ensure
Remove use of `rescue nil`. * `rescue nil` is a really bad pattern to use in our code base. We should rescue errors that we expect the code to throw and not rescue everything because we're unsure of what errors the code would throw. This would reduce the amount of pain we face when debugging why something isn't working as expexted. I've been bitten countless of times by errors being swallowed as a result during debugging sessions.
2018-03-28 16:20:08 +08:00
tempfile&.close!
fix and improve image downsizing algorithm
2016-06-20 18:35:07 +08:00
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
private
FEATURE: add `system_user_max_attachment_size_kb` site setting (#28351) * System user attachment size WIP * spec check * controller update * add max to system_user_max_attachment_size_kb * DEV: update to use static method for `max_attachment_size_for_user` add test to use large image. add check for failure. * DEV: update `system_user_max_attachment_size_kb` default value to 0 remove unecessary test. update tests to reflect the new default value of `system_user_max_attachment_size_kb` * DEV: update maximum_file_size to check when is an attachment made by a system user Add tests for when `system_user_max_attachment_size_kb` is over and under the limit Add test for checking interaction with `max_attachment_size_kb` * DEV: move `max_attachment_size_for_user` to private methods * DEV: turn `max_attachment_size_for_user` into a static method * DEV: typo in test case * DEV: move max_attachment_size_for_user to private class method * Revert "DEV: move max_attachment_size_for_user to private class method" This reverts commit 5d5ae0b715de7c3453dc1392df299ef3bb58990c. --------- Co-authored-by: Gabriel Grubba <gabriel@discourse.org>
2024-08-16 22:03:39 +08:00
def self.max_attachment_size_for_user(user)
if user.id == Discourse::SYSTEM_USER_ID && !SiteSetting.system_user_max_attachment_size_kb.zero?
SiteSetting.system_user_max_attachment_size_kb
else
SiteSetting.max_attachment_size_kb
end
end
FIX: Show gif upload size limit error straight away (#21633) When uploading images via direct to S3 upload, we were assuming that we could not pre-emptively check the file size because the client may do preprocessing to reduce the size, and UploadCreator could also further reduce the size. This, however, is not true of gifs, so we would have an issue where you upload a gif > the max_image_size_kb setting and had to wait until the upload completed for this error to show. Now, instead, when we direct upload gifs to S3, we check the size straight away and present a file size error to the user rather than making them wait. This will increase meme efficiency by approximately 1000%.
2023-05-18 16:36:34 +08:00
# We can preemptively check size for attachments, but not for (most) images
FEATURE: Uppy direct S3 multipart uploads in composer (#14051) This pull request introduces the endpoints required, and the JavaScript functionality in the `ComposerUppyUpload` mixin, for direct S3 multipart uploads. There are four new endpoints in the uploads controller: * `create-multipart.json` - Creates the multipart upload in S3 along with an `ExternalUploadStub` record, storing information about the file in the same way as `generate-presigned-put.json` does for regular direct S3 uploads * `batch-presign-multipart-parts.json` - Takes a list of part numbers and the unique identifier for an `ExternalUploadStub` record, and generates the presigned URLs for those parts if the multipart upload still exists and if the user has permission to access that upload * `complete-multipart.json` - Completes the multipart upload in S3. Needs the full list of part numbers and their associated ETags which are returned when the part is uploaded to the presigned URL above. Only works if the user has permission to access the associated `ExternalUploadStub` record and the multipart upload still exists. After we confirm the upload is complete in S3, we go through the regular `UploadCreator` flow, the same as `complete-external-upload.json`, and promote the temporary upload S3 into a full `Upload` record, moving it to its final destination. * `abort-multipart.json` - Aborts the multipart upload on S3 and destroys the `ExternalUploadStub` record if the user has permission to access that upload. Also added are a few new columns to `ExternalUploadStub`: * multipart - Whether or not this is a multipart upload * external_upload_identifier - The "upload ID" for an S3 multipart upload * filesize - The size of the file when the `create-multipart.json` or `generate-presigned-put.json` is called. This is used for validation. When the user completes a direct S3 upload, either regular or multipart, we take the `filesize` that was captured when the `ExternalUploadStub` was first created and compare it with the final `Content-Length` size of the file where it is stored in S3. Then, if the two do not match, we throw an error, delete the file on S3, and ban the user from uploading files for N (default 5) minutes. This would only happen if the user uploads a different file than what they first specified, or in the case of multipart uploads uploaded larger chunks than needed. This is done to prevent abuse of S3 storage by bad actors. Also included in this PR is an update to vendor/uppy.js. This has been built locally from the latest uppy source at https://github.com/transloadit/uppy/commit/d613b849a6591083f8a0968aa8d66537e231bbcd. This must be done so that I can get my multipart upload changes into Discourse. When the Uppy team cuts a proper release, we can bump the package.json versions instead.
2021-08-25 06:46:54 +08:00
# as they may be further reduced in size by UploadCreator (at this point
# they may have already been reduced in size by preprocessors)
FIX: Show gif upload size limit error straight away (#21633) When uploading images via direct to S3 upload, we were assuming that we could not pre-emptively check the file size because the client may do preprocessing to reduce the size, and UploadCreator could also further reduce the size. This, however, is not true of gifs, so we would have an issue where you upload a gif > the max_image_size_kb setting and had to wait until the upload completed for this error to show. Now, instead, when we direct upload gifs to S3, we check the size straight away and present a file size error to the user rather than making them wait. This will increase meme efficiency by approximately 1000%.
2023-05-18 16:36:34 +08:00
def attachment_too_big?(file_name, file_size)
FEATURE: Uppy direct S3 multipart uploads in composer (#14051) This pull request introduces the endpoints required, and the JavaScript functionality in the `ComposerUppyUpload` mixin, for direct S3 multipart uploads. There are four new endpoints in the uploads controller: * `create-multipart.json` - Creates the multipart upload in S3 along with an `ExternalUploadStub` record, storing information about the file in the same way as `generate-presigned-put.json` does for regular direct S3 uploads * `batch-presign-multipart-parts.json` - Takes a list of part numbers and the unique identifier for an `ExternalUploadStub` record, and generates the presigned URLs for those parts if the multipart upload still exists and if the user has permission to access that upload * `complete-multipart.json` - Completes the multipart upload in S3. Needs the full list of part numbers and their associated ETags which are returned when the part is uploaded to the presigned URL above. Only works if the user has permission to access the associated `ExternalUploadStub` record and the multipart upload still exists. After we confirm the upload is complete in S3, we go through the regular `UploadCreator` flow, the same as `complete-external-upload.json`, and promote the temporary upload S3 into a full `Upload` record, moving it to its final destination. * `abort-multipart.json` - Aborts the multipart upload on S3 and destroys the `ExternalUploadStub` record if the user has permission to access that upload. Also added are a few new columns to `ExternalUploadStub`: * multipart - Whether or not this is a multipart upload * external_upload_identifier - The "upload ID" for an S3 multipart upload * filesize - The size of the file when the `create-multipart.json` or `generate-presigned-put.json` is called. This is used for validation. When the user completes a direct S3 upload, either regular or multipart, we take the `filesize` that was captured when the `ExternalUploadStub` was first created and compare it with the final `Content-Length` size of the file where it is stored in S3. Then, if the two do not match, we throw an error, delete the file on S3, and ban the user from uploading files for N (default 5) minutes. This would only happen if the user uploads a different file than what they first specified, or in the case of multipart uploads uploaded larger chunks than needed. This is done to prevent abuse of S3 storage by bad actors. Also included in this PR is an update to vendor/uppy.js. This has been built locally from the latest uppy source at https://github.com/transloadit/uppy/commit/d613b849a6591083f8a0968aa8d66537e231bbcd. This must be done so that I can get my multipart upload changes into Discourse. When the Uppy team cuts a proper release, we can bump the package.json versions instead.
2021-08-25 06:46:54 +08:00
!FileHelper.is_supported_image?(file_name) &&
FEATURE: add `system_user_max_attachment_size_kb` site setting (#28351) * System user attachment size WIP * spec check * controller update * add max to system_user_max_attachment_size_kb * DEV: update to use static method for `max_attachment_size_for_user` add test to use large image. add check for failure. * DEV: update `system_user_max_attachment_size_kb` default value to 0 remove unecessary test. update tests to reflect the new default value of `system_user_max_attachment_size_kb` * DEV: update maximum_file_size to check when is an attachment made by a system user Add tests for when `system_user_max_attachment_size_kb` is over and under the limit Add test for checking interaction with `max_attachment_size_kb` * DEV: move `max_attachment_size_for_user` to private methods * DEV: turn `max_attachment_size_for_user` into a static method * DEV: typo in test case * DEV: move max_attachment_size_for_user to private class method * Revert "DEV: move max_attachment_size_for_user to private class method" This reverts commit 5d5ae0b715de7c3453dc1392df299ef3bb58990c. --------- Co-authored-by: Gabriel Grubba <gabriel@discourse.org>
2024-08-16 22:03:39 +08:00
file_size >= UploadsController.max_attachment_size_for_user(current_user).kilobytes
FEATURE: Uppy direct S3 multipart uploads in composer (#14051) This pull request introduces the endpoints required, and the JavaScript functionality in the `ComposerUppyUpload` mixin, for direct S3 multipart uploads. There are four new endpoints in the uploads controller: * `create-multipart.json` - Creates the multipart upload in S3 along with an `ExternalUploadStub` record, storing information about the file in the same way as `generate-presigned-put.json` does for regular direct S3 uploads * `batch-presign-multipart-parts.json` - Takes a list of part numbers and the unique identifier for an `ExternalUploadStub` record, and generates the presigned URLs for those parts if the multipart upload still exists and if the user has permission to access that upload * `complete-multipart.json` - Completes the multipart upload in S3. Needs the full list of part numbers and their associated ETags which are returned when the part is uploaded to the presigned URL above. Only works if the user has permission to access the associated `ExternalUploadStub` record and the multipart upload still exists. After we confirm the upload is complete in S3, we go through the regular `UploadCreator` flow, the same as `complete-external-upload.json`, and promote the temporary upload S3 into a full `Upload` record, moving it to its final destination. * `abort-multipart.json` - Aborts the multipart upload on S3 and destroys the `ExternalUploadStub` record if the user has permission to access that upload. Also added are a few new columns to `ExternalUploadStub`: * multipart - Whether or not this is a multipart upload * external_upload_identifier - The "upload ID" for an S3 multipart upload * filesize - The size of the file when the `create-multipart.json` or `generate-presigned-put.json` is called. This is used for validation. When the user completes a direct S3 upload, either regular or multipart, we take the `filesize` that was captured when the `ExternalUploadStub` was first created and compare it with the final `Content-Length` size of the file where it is stored in S3. Then, if the two do not match, we throw an error, delete the file on S3, and ban the user from uploading files for N (default 5) minutes. This would only happen if the user uploads a different file than what they first specified, or in the case of multipart uploads uploaded larger chunks than needed. This is done to prevent abuse of S3 storage by bad actors. Also included in this PR is an update to vendor/uppy.js. This has been built locally from the latest uppy source at https://github.com/transloadit/uppy/commit/d613b849a6591083f8a0968aa8d66537e231bbcd. This must be done so that I can get my multipart upload changes into Discourse. When the Uppy team cuts a proper release, we can bump the package.json versions instead.
2021-08-25 06:46:54 +08:00
end
FIX: Show gif upload size limit error straight away (#21633) When uploading images via direct to S3 upload, we were assuming that we could not pre-emptively check the file size because the client may do preprocessing to reduce the size, and UploadCreator could also further reduce the size. This, however, is not true of gifs, so we would have an issue where you upload a gif > the max_image_size_kb setting and had to wait until the upload completed for this error to show. Now, instead, when we direct upload gifs to S3, we check the size straight away and present a file size error to the user rather than making them wait. This will increase meme efficiency by approximately 1000%.
2023-05-18 16:36:34 +08:00
# Gifs are not resized on the client and not reduced in size by UploadCreator
def image_too_big?(file_name, file_size)
FileHelper.is_supported_image?(file_name) && File.extname(file_name) == ".gif" &&
file_size >= SiteSetting.max_image_size_kb.kilobytes
end
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
def send_file_local_upload(upload)
opts = {
filename: upload.original_filename,
content_type: MiniMime.lookup_by_filename(upload.original_filename)&.content_type,
}
SECURITY: Add content-disposition: attachment for SVG uploads * strip out the href and xlink:href attributes from use element that are _not_ anchors in svgs which can be used for XSS * adding the content-disposition: attachment ensures that uploaded SVGs cannot be opened and executed using the XSS exploit. svgs embedded using an img tag do not suffer from the same exploit
2020-07-09 11:31:48 +08:00
if !FileHelper.is_inline_image?(upload.original_filename)
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
opts[:disposition] = "attachment"
SECURITY: Ensure only image uploads can be inlined This prevents malicious files (for example special crafted XMLs) to be used in XSS attacks.
2019-12-11 21:21:41 +08:00
elsif params[:inline]
opts[:disposition] = "inline"
FEATURE: Support `[description|attachment](upload://<short-sha>)` in MD take 2. Previous attempt was missing `post_uploads` records.
2019-05-29 09:00:25 +08:00
end
file_path = Discourse.store.path_for(upload)
return render_404 unless file_path
send_file(file_path, opts)
end
DEV: Extract shared external upload routes into controller helper (#14984) This commit refactors the direct external upload routes (get presigned put, complete external, create/abort/complete multipart) into a helper which is then included in both BackupController and the UploadController. This is done so UploadController doesn't need strange backup logic added to it, and so each controller implementing this helper can do their own validation/error handling nicely. This is a follow up to e4350bb96648622b73414712588ffc015e193562
2021-11-18 07:17:23 +08:00
def create_direct_multipart_upload
begin
yield
rescue Aws::S3::Errors::ServiceError => err
message =
debug_upload_error(
err,
I18n.t("upload.create_multipart_failure", additional_detail: err.message),
)
raise ExternalUploadHelpers::ExternalUploadValidationError.new(message)
end
FEATURE: Direct S3 multipart uploads for backups (#14736) This PR introduces a new `enable_experimental_backup_uploads` site setting (default false and hidden), which when enabled alongside `enable_direct_s3_uploads` will allow for direct S3 multipart uploads of backup .tar.gz files. To make multipart external uploads work with both the S3BackupStore and the S3Store, I've had to move several methods out of S3Store and into S3Helper, including: * presigned_url * create_multipart * abort_multipart * complete_multipart * presign_multipart_part * list_multipart_parts Then, S3Store and S3BackupStore either delegate directly to S3Helper or have their own special methods to call S3Helper for these methods. FileStore.temporary_upload_path has also removed its dependence on upload_path, and can now be used interchangeably between the stores. A similar change was made in the frontend as well, moving the multipart related JS code out of ComposerUppyUpload and into a mixin of its own, so it can also be used by UppyUploadMixin. Some changes to ExternalUploadManager had to be made here as well. The backup direct uploads do not need an Upload record made for them in the database, so they can be moved to their final S3 resting place when completing the multipart upload. This changeset is not perfect; it introduces some special cases in UploadController to handle backups that was previously in BackupController, because UploadController is where the multipart routes are located. A subsequent pull request will pull these routes into a module or some other sharing pattern, along with hooks, so the backup controller and the upload controller (and any future controllers that may need them) can include these routes in a nicer way.
2021-11-11 06:25:31 +08:00
end
Initial release of Discourse
2013-02-06 03:16:51 +08:00
end
Reference in New Issue Copy Permalink