infopark_fiona7 0.71.0.3 → 0.71.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4619dc5e8bf5eb3dd97371dff2649fc8f5ec0132
-  data.tar.gz: 5e991611b12dfd0495a3f61b710c49da1f21e9b9
+  metadata.gz: 2943d8f71016c77e2923a62ebdc4c196046c7a12
+  data.tar.gz: 8cab80405cc8c406104dc1cf6f468ce63f8a3723
 SHA512:
-  metadata.gz: c9a406c89e791f21722a8401317692b8a786d41d76cdc1790dc615842405349d60f21c455b18e8c2d0e34f4dd1cd6c91cd8ae3482c9757fc8d3b55fbdaaaed45
-  data.tar.gz: a3c4c6a56e68cb1b0c12fb0c98b74f8a498371c679c5e1a8897cc4160b105afe49321bf29c7bc83298bc4236714806df85314ba88374cb2532158a9157d33b0e
+  metadata.gz: 29ebb08d03e8b21b8b01abaabd831a538365670613f4c19983fb23762a375109f8aefcabca4e723d1486b1af650c113c1165937d99c16e859070891176a3d433
+  data.tar.gz: 2286addb1ac034a38e69678963fd40ea175a03d784be6a301b7944e105e1fdfce9c1d6fc0339d30546590c6d9976136ab1f3a52dc1f202fcc10bdfac7dde6ff8

data/app/controllers/fiona7/blobs_controller.rb

@@ -1,9 +1,20 @@
 module Fiona7
   class BlobsController < ActionController::Base
-
     include Fiona7::BinaryHandling::DeliveryMixin
+    include RailsConnector::CmsAccessible
+
+    before_filter :load_obj
+    before_filter :ensure_object_is_active
+    before_filter :ensure_object_is_permitted
 
     protected
+    def load_obj
+      @obj = Fiona7::WriteObj.find(binary_id_from_params)
+    end
+
+    def render_obj_error(code, msg)
+      head code
+    end
 
     def binary_id_from_params
       params[:id]

data/app/controllers/fiona7/default_scrivito_cms_controller.rb

@@ -4,7 +4,6 @@ module Fiona7
     before_filter :assert_legacy_mode
 
     def index
-      return deliver_file if @obj.binary?
       return redirect_to cms_path(@obj.fiona_obj)
     end
 

data/lib/fiona7/access_permission_check.rb

@@ -0,0 +1,50 @@
+module Fiona7
+  class AccessPermissionCheck
+    def initialize(obj, env, rc_user, reactor_user)
+      self.obj = obj
+      self.env = env
+      self.rc_user = rc_user
+      self.reactor_user = reactor_user
+    end
+
+    def read_permitted?
+      if editing?
+        read_permission_check
+      else
+        live_permission_check 
+      end
+    end
+
+    protected
+    attr_accessor :obj, :env, :rc_user, :reactor_user
+    
+    def editing?
+      editing_context = self.env[Scrivito::EditingContextMiddleware::ENVKEY]
+      editing_context && editing_context.authenticated_editor? && selected_workspace_id(editing_context) == 'rtc'
+    end
+
+    # this is very quick!
+    def live_permission_check
+      self.obj.permitted_for_user?(self.rc_user)
+    end
+
+    # this is very slow!
+    def read_permission_check
+      if !self.reactor_user
+        false
+      else
+        self.reactor_user.superuser? ||
+          (self.obj.permissions.root & self.reactor_user.groups).any? ||
+          (self.obj.permissions.read & self.reactor_user.groups).any?
+      end
+    end
+
+    private
+    def selected_workspace_id(editing_context)
+      # NOTE: this does not require workspace lookup/load_obj
+      # and thus is potentially faster
+      editing_context.instance_variable_get(:@selected_workspace_id).to_s
+    end
+
+  end
+end

data/lib/fiona7/engine.rb

@@ -36,6 +36,8 @@ require "fiona7/scrivito_patches/page_config"
 require "fiona7/scrivito_patches/type_computer"
 require "fiona7/scrivito_patches/workspace"
 
+require "fiona7/fiona_connector_patches/cms_accessible"
+
 require "fiona7/middleware/table_switching_middleware"
 require "fiona7/middleware/server_detection_middleware"
 

data/lib/fiona7/fiona_connector_patches/basic_obj.rb

@@ -7,6 +7,7 @@ module RailsConnector
       Scrivito::Obj.find(self.id)
     end
 
+    has_many(:arel_permissions, :class_name => "::RailsConnector::Permission", :foreign_key => "object_id")
     # never use cached permissions
     def permissions
       arel_permissions

data/lib/fiona7/fiona_connector_patches/cms_accessible.rb

@@ -0,0 +1,16 @@
+require 'rails_connector/cms_accessible'
+require 'fiona7/access_permission_check'
+
+module RailsConnector
+  module CmsAccessible
+    # changed to check live and read permissions
+    def ensure_object_is_permitted
+      unless Fiona7::AccessPermissionCheck.new(@obj, request.env, current_user, rsession && rsession.user? && rsession.user).read_permitted?
+        @obj = nil
+        render_obj_error(403, "forbidden")
+        return false
+      end
+      return true
+    end
+  end
+end

data/lib/fiona7/version.rb

@@ -1,3 +1,3 @@
 module Fiona7
-  VERSION = "0.71.0.3"
+  VERSION = "0.71.0.4"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: infopark_fiona7
 version: !ruby/object:Gem::Version
-  version: 0.71.0.3
+  version: 0.71.0.4
 platform: ruby
 authors:
 - Tomasz Przedmojski
@@ -166,6 +166,7 @@ files:
 - config/locales/permissions.yml
 - config/routes.rb
 - infopark_fiona7.gemspec
+- lib/fiona7/access_permission_check.rb
 - lib/fiona7/assert.rb
 - lib/fiona7/builder/batch_widget_writer.rb
 - lib/fiona7/builder/obj_builder.rb
@@ -183,6 +184,7 @@ files:
 - lib/fiona7/controllers/rest_api/workspace_controller.rb
 - lib/fiona7/engine.rb
 - lib/fiona7/fiona_connector_patches/basic_obj.rb
+- lib/fiona7/fiona_connector_patches/cms_accessible.rb
 - lib/fiona7/initializer.rb
 - lib/fiona7/json/obj_decorator.rb
 - lib/fiona7/json/reverse_obj_decorator.rb