ホーム エクスプローラ ヘルプ
サインイン
mirrors
/
wekan
同期ミラー https://github.com/wekan/wekan.git
2
0
フォーク 0
ファイル 課題 0 Wiki
ツリー: a9d4538d53
ブランチ タグ
wekan
/
models
/
attachments.js

attachments.js 2.1 KB
履歴 Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273 
  1. Attachments = new FS.Collection('attachments', {
    2. 

  2.   stores: [
    3. 

  3. 

  4.     // XXX Add a new store for cover thumbnails so we don't load big images in
    5. 

  5.     // the general board view
    6. 

  6.     new FS.Store.GridFS('attachments'),
    7. 

  7.   ],
    8. 

  8. });
    9. 

  9. 

  10. if (Meteor.isServer) {
    11. 

  11.   Attachments.allow({
    12. 

  12.     insert(userId, doc) {
    13. 

  13.       return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    14. 

  14.     },
    15. 

  15.     update(userId, doc) {
    16. 

  16.       return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    17. 

  17.     },
    18. 

  18.     remove(userId, doc) {
    19. 

  19.       return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    20. 

  20.     },
    21. 

  21.     // We authorize the attachment download either:
    22. 

  22.     // - if the board is public, everyone (even unconnected) can download it
    23. 

  23.     // - if the board is private, only board members can download it
    24. 

  24.     download(userId, doc) {
    25. 

  25.       const board = Boards.findOne(doc.boardId);
    26. 

  26.       if (board.isPublic()) {
    27. 

  27.         return true;
    28. 

  28.       } else {
    29. 

  29.         return board.hasMember(userId);
    30. 

  30.       }
    31. 

  31.     },
    32. 

  32. 

  33.     fetch: ['boardId'],
    34. 

  34.   });
    35. 

  35. }
    36. 

  36. 

  37. // XXX Enforce a schema for the Attachments CollectionFS
    38. 

  38. 

  39. Attachments.files.before.insert((userId, doc) => {
    40. 

  40.   const file = new FS.File(doc);
    41. 

  41.   doc.userId = userId;
    42. 

  42. 

  43.   // If the uploaded document is not an image we need to enforce browser
    44. 

  44.   // download instead of execution. This is particularly important for HTML
    45. 

  45.   // files that the browser will just execute if we don't serve them with the
    46. 

  46.   // appropriate `application/octet-stream` MIME header which can lead to user
    47. 

  47.   // data leaks. I imagine other formats (like PDF) can also be attack vectors.
    48. 

  48.   // See https://github.com/wekan/wekan/issues/99
    49. 

  49.   // XXX Should we use `beforeWrite` option of CollectionFS instead of
    50. 

  50.   // collection-hooks?
    51. 

  51.   if (!file.isImage()) {
    52. 

  52.     file.original.type = 'application/octet-stream';
    53. 

  53.   }
    54. 

  54. });
    55. 

  55. 

  56. if (Meteor.isServer) {
    57. 

  57.   Attachments.files.after.insert((userId, doc) => {
    58. 

  58.     Activities.insert({
    59. 

  59.       userId,
    60. 

  60.       type: 'card',
    61. 

  61.       activityType: 'addAttachment',
    62. 

  62.       attachmentId: doc._id,
    63. 

  63.       boardId: doc.boardId,
    64. 

  64.       cardId: doc.cardId,
    65. 

  65.     });
    66. 

  66.   });
    67. 

  67. 

  68.   Attachments.files.after.remove((userId, doc) => {
    69. 

  69.     Activities.remove({
    70. 

  70.       attachmentId: doc._id,
    71. 

  71.     });
    72. 

  72.   });
    73. 

  73. }
    74.