Home Explore Help
Sign In
mirrors
/
wekan
mirror of https://github.com/wekan/wekan.git
2
0
Fork 0
Files Issues 0 Wiki
Tree: f4a68a0f7d
Branches Tags
wekan
/
models
/
attachments.js

attachments.js 2.3 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879 
  1. Attachments = new FS.Collection('attachments', {
    2. 

  2.   stores: [
    3. 

  3. 

  4.     // XXX Add a new store for cover thumbnails so we don't load big images in
    5. 

  5.     // the general board view
    6. 

  6.     new FS.Store.GridFS('attachments'),
    7. 

  7.   ],
    8. 

  8. });
    9. 

  9. 

  10. if (Meteor.isServer) {
    11. 

  11.   Attachments.allow({
    12. 

  12.     insert(userId, doc) {
    13. 

  13.       return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    14. 

  14.     },
    15. 

  15.     update(userId, doc) {
    16. 

  16.       return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    17. 

  17.     },
    18. 

  18.     remove(userId, doc) {
    19. 

  19.       return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    20. 

  20.     },
    21. 

  21.     // We authorize the attachment download either:
    22. 

  22.     // - if the board is public, everyone (even unconnected) can download it
    23. 

  23.     // - if the board is private, only board members can download it
    24. 

  24.     //
    25. 

  25.     // XXX We have a bug with the `userId` verification:
    26. 

  26.     //
    27. 

  27.     //   https://github.com/CollectionFS/Meteor-CollectionFS/issues/449
    28. 

  28.     //
    29. 

  29.     download(userId, doc) {
    30. 

  30.       const query = {
    31. 

  31.         $or: [
    32. 

  32.           { 'members.userId': userId },
    33. 

  33.           { permission: 'public' },
    34. 

  34.         ],
    35. 

  35.       };
    36. 

  36.       return Boolean(Boards.findOne(doc.boardId, query));
    37. 

  37.     },
    38. 

  38. 

  39.     fetch: ['boardId'],
    40. 

  40.   });
    41. 

  41. }
    42. 

  42. 

  43. // XXX Enforce a schema for the Attachments CollectionFS
    44. 

  44. 

  45. Attachments.files.before.insert((userId, doc) => {
    46. 

  46.   const file = new FS.File(doc);
    47. 

  47.   doc.userId = userId;
    48. 

  48. 

  49.   // If the uploaded document is not an image we need to enforce browser
    50. 

  50.   // download instead of execution. This is particularly important for HTML
    51. 

  51.   // files that the browser will just execute if we don't serve them with the
    52. 

  52.   // appropriate `application/octet-stream` MIME header which can lead to user
    53. 

  53.   // data leaks. I imagine other formats (like PDF) can also be attack vectors.
    54. 

  54.   // See https://github.com/libreboard/libreboard/issues/99
    55. 

  55.   // XXX Should we use `beforeWrite` option of CollectionFS instead of
    56. 

  56.   // collection-hooks?
    57. 

  57.   if (!file.isImage()) {
    58. 

  58.     file.original.type = 'application/octet-stream';
    59. 

  59.   }
    60. 

  60. });
    61. 

  61. 

  62. if (Meteor.isServer) {
    63. 

  63.   Attachments.files.after.insert((userId, doc) => {
    64. 

  64.     Activities.insert({
    65. 

  65.       userId,
    66. 

  66.       type: 'card',
    67. 

  67.       activityType: 'addAttachment',
    68. 

  68.       attachmentId: doc._id,
    69. 

  69.       boardId: doc.boardId,
    70. 

  70.       cardId: doc.cardId,
    71. 

  71.     });
    72. 

  72.   });
    73. 

  73. 

  74.   Attachments.files.after.remove((userId, doc) => {
    75. 

  75.     Activities.remove({
    76. 

  76.       attachmentId: doc._id,
    77. 

  77.     });
    78. 

  78.   });
    79. 

  79. }
    80.