Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: 2a24918a9c
Branches Tags
wekan
/
server
/
routes
/
legacyAttachments.js

legacyAttachments.js 2.8 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485 
  1. import { Meteor } from 'meteor/meteor';
    2. 

  2. import { WebApp } from 'meteor/webapp';
    3. 

  3. import { ReactiveCache } from '/imports/reactiveCache';
    4. 

  4. import { getAttachmentWithBackwardCompatibility, getOldAttachmentStream } from '/models/lib/attachmentBackwardCompatibility';
    5. 

  5. 

  6. // Ensure this file is loaded
    7. 

  7. if (process.env.DEBUG === 'true') {
    8. 

  8.   console.log('Legacy attachments route loaded');
    9. 

  9. }
    10. 

  10. 

  11. /**
    12. 

  12.  * Legacy attachment download route for CollectionFS compatibility
    13. 

  13.  * Handles downloads from old CollectionFS structure
    14. 

  14.  */
    15. 

  15. 

  16. if (Meteor.isServer) {
    17. 

  17.   // Handle legacy attachment downloads
    18. 

  18.   WebApp.connectHandlers.use('/cfs/files/attachments', (req, res, next) => {
    19. 

  19.     const attachmentId = req.url.split('/').pop();
    20. 

  20. 

  21.     if (!attachmentId) {
    22. 

  22.       res.writeHead(404);
    23. 

  23.       res.end('Attachment not found');
    24. 

  24.       return;
    25. 

  25.     }
    26. 

  26. 

  27.     try {
    28. 

  28.       // Try to get attachment with backward compatibility
    29. 

  29.       const attachment = getAttachmentWithBackwardCompatibility(attachmentId);
    30. 

  30. 

  31.       if (!attachment) {
    32. 

  32.         res.writeHead(404);
    33. 

  33.         res.end('Attachment not found');
    34. 

  34.         return;
    35. 

  35.       }
    36. 

  36. 

  37.       // Check permissions
    38. 

  38.       const board = ReactiveCache.getBoard(attachment.meta.boardId);
    39. 

  39.       if (!board) {
    40. 

  40.         res.writeHead(404);
    41. 

  41.         res.end('Board not found');
    42. 

  42.         return;
    43. 

  43.       }
    44. 

  44. 

  45.       // Check if user has permission to download
    46. 

  46.       const userId = Meteor.userId();
    47. 

  47.       if (!board.isPublic() && (!userId || !board.hasMember(userId))) {
    48. 

  48.         res.writeHead(403);
    49. 

  49.         res.end('Access denied');
    50. 

  50.         return;
    51. 

  51.       }
    52. 

  52. 

  53.       // Set appropriate headers
    54. 

  54.       res.setHeader('Content-Type', attachment.type || 'application/octet-stream');
    55. 

  55.       res.setHeader('Content-Length', attachment.size || 0);
    56. 

  56. 

  57.       // Force attachment disposition for SVG files to prevent XSS attacks
    58. 

  58.       const isSvgFile = attachment.name && attachment.name.toLowerCase().endsWith('.svg');
    59. 

  59.       const disposition = isSvgFile ? 'attachment' : 'attachment'; // Always use attachment for legacy files
    60. 

  60.       res.setHeader('Content-Disposition', `${disposition}; filename="${attachment.name}"`);
    61. 

  61. 

  62.       // Add security headers for SVG files
    63. 

  63.       if (isSvgFile) {
    64. 

  64.         res.setHeader('Content-Security-Policy', "default-src 'none'; script-src 'none'; object-src 'none';");
    65. 

  65.         res.setHeader('X-Content-Type-Options', 'nosniff');
    66. 

  66.         res.setHeader('X-Frame-Options', 'DENY');
    67. 

  67.       }
    68. 

  68. 

  69.       // Get GridFS stream for legacy attachment
    70. 

  70.       const fileStream = getOldAttachmentStream(attachmentId);
    71. 

  71.       if (fileStream) {
    72. 

  72.         res.writeHead(200);
    73. 

  73.         fileStream.pipe(res);
    74. 

  74.       } else {
    75. 

  75.         res.writeHead(404);
    76. 

  76.         res.end('File not found in GridFS');
    77. 

  77.       }
    78. 

  78. 

  79.     } catch (error) {
    80. 

  80.       console.error('Error serving legacy attachment:', error);
    81. 

  81.       res.writeHead(500);
    82. 

  82.       res.end('Internal server error');
    83. 

  83.     }
    84. 

  84.   });
    85. 

  85. }
    86.