refile 0.3.0 → 0.4.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: bd423a66e8cd66e1dbb128aad4724806341335ea
-  data.tar.gz: 8eef6a2838a39c3d74b87fe03467905ea548145e
+  metadata.gz: 07f335bddd4f808d06e31efe59579f85ddaa635b
+  data.tar.gz: bb5c872f88e17f6756988f2c3cb0bd65ecac9843
 SHA512:
-  metadata.gz: 7b2b30128fd4f7980a5b3e1b490fa47f17acf38c7bc458b0eec8a117856c90d087606341055ff1af77b9b37138849020a219c9cd59d6640ff30334595d4d6162
-  data.tar.gz: 4a01443db981b687b7933463cfa5a1a1837f8e16470cfdbf4d4fb3bf9f609d2334afebbb803c8735cf1836626ef1e3e0ace656ceae19bbce49132fbea873b2af
+  metadata.gz: 277ff85d62eb22974311570c0f8245aec981ef1f9bc6e7f9086f8d0ee8890dd4af89154efba369acc52071d20f11641a0b54b2687cfd831b3139f6ef75d95a1a
+  data.tar.gz: 8f22cf639037cb0ed933f5a399abc1f9534dd8c4b6e60e76f9f55452653cb25679bd8e2c5e5655cabbae6d8fd00739526dfd55c9f60afd19b56c88228414bd8c

data/.rubocop.yml

@@ -0,0 +1,56 @@
+Metrics/LineLength:
+  Max: 150 # TODO: we should decrease this to 120
+
+Metrics/ClassLength:
+  Max: 300
+
+Metrics/MethodLength:
+  Max: 25
+
+Metrics/ParameterLists:
+  Max: 8
+
+Metrics/AbcSize:
+  Max: 20
+
+Metrics/CyclomaticComplexity:
+  Max: 7 # TODO: reduce
+
+Style/AlignParameters:
+  EnforcedStyle: with_fixed_indentation
+
+Style/StringLiterals:
+  EnforcedStyle: double_quotes
+
+Style/StringLiteralsInInterpolation:
+  EnforcedStyle: double_quotes
+
+Style/AndOr:
+  Enabled: false
+
+Style/Not:
+  Enabled: false
+
+Documentation:
+  Enabled: false # TODO: Enable again once we have more docs
+
+Style/CaseIndentation:
+  IndentWhenRelativeTo: case
+  SupportedStyles:
+    - case
+    - end
+  IndentOneStep: true
+
+Style/PercentLiteralDelimiters:
+  PreferredDelimiters:
+    '%w': "[]"
+    '%W': "[]"
+
+Style/AccessModifierIndentation:
+  EnforcedStyle: outdent
+
+Style/SignalException:
+  Enabled: false
+
+Lint/EndAlignment:
+  AlignWith: variable

data/.travis.yml

@@ -1,8 +1,19 @@
 language: ruby
+
 rvm:
+  - 2.1
   - 2.1.5
+  - ruby-head
+
 gemfile:
   - Gemfile
+
+sudo: false
+
 before_script:
   - export DISPLAY=:99.0
   - sh -e /etc/init.d/xvfb start
+
+matrix:
+  allow_failures:
+    - rvm: ruby-head

data/Gemfile

@@ -1,3 +1,3 @@
-source 'https://rubygems.org'
+source "https://rubygems.org"
 
 gemspec

data/History.md

@@ -1,3 +1,18 @@
+# 0.4.0
+
+Release date: 2014-12-26
+
+- [ADDED] Pass through additional args to S3
+- [ADDED] Rack app sets far future expiry headers
+- [ADDED] Sinatra app supports CORS preflight requests
+- [ADDED] Helpers can take `host` option
+- [ADDED] File type validations
+- [ADDED] attachment_field accept attribute is set from file type restrictions
+- [CHANGED] Dynamically generated methods in attachments are included via Module
+- [CHANGED] Rack app replaced with Sinatra app
+- [FIXED] Various content type fixes in Sinatra app
+- [FIXED] Don't set id of record if it is frozen
+
 # 0.3.0
 
 Release date: 2014-12-14

data/README.md

@@ -1,6 +1,7 @@
 # Refile
 [![Gem Version](https://badge.fury.io/rb/refile.svg)](http://badge.fury.io/rb/refile)
 [![Build Status](https://travis-ci.org/elabs/refile.svg?branch=master)](https://travis-ci.org/elabs/refile)
+[![Code Climate](https://codeclimate.com/github/elabs/refile/badges/gpa.svg)](https://codeclimate.com/github/elabs/refile)
 
 Refile is a modern file upload library for Ruby applications. It is simple, yet
 powerful. Refile is an attempt by CarrierWave's original author to fix the
@@ -218,9 +219,9 @@ end
 
 ## 3. Rack Application
 
-Refile includes a Rack application (an endpoint, not a middleware). This application
-streams files from backends and can even accept file uploads and upload them to
-backends.
+Refile includes a Rack application (an endpoint, not a middleware), written in
+Sinatra. This application streams files from backends and can even accept file
+uploads and upload them to backends.
 
 **Important:** Unlike other file upload solutions, Refile always streams your files through your
 application. It cannot generate URLs to your files. This means that you should
@@ -341,7 +342,7 @@ With this helper you can specify an image which is used as a fallback in case
 no file has been uploaded:
 
 ``` erb
-<%= attachment_image_tag(@user, :profile_image, :fill, 300, 300, fallback: "defaul.png") %>
+<%= attachment_image_tag(@user, :profile_image, :fill, 300, 300, fallback: "default.png") %>
 ```
 
 ## 5. JavaScript library
@@ -430,7 +431,7 @@ cross site AJAX requests from posting to buckets. Fixing this is easy though.
 - Click "Add CORS Configuration"
 
 The default configuration only allows "GET", you'll want to allow "POST" as
-well. You'll also want to permit the "Content-Type" header.
+well. You'll also want to permit the "Content-Type" and "Origin" headers.
 
 It could look something like this:
 
@@ -443,6 +444,7 @@ It could look something like this:
         <MaxAgeSeconds>3000</MaxAgeSeconds>
         <AllowedHeader>Authorization</AllowedHeader>
         <AllowedHeader>Content-Type</AllowedHeader>
+        <AllowedHeader>Origin</AllowedHeader>
     </CORSRule>
 </CORSConfiguration>
 ```
@@ -477,6 +479,40 @@ Refile's JavaScript library requires HTML5 features which are unavailable on
 IE9 and earlier versions. All other major browsers are supported. Note though
 that it has not yet been extensively tested.
 
+## File type validations
+
+Refile can check that attached files have a given content type or extension.
+This allows you to warn users if they try to upload an invalid file.
+
+**Important:** You should regard this as a convenience feature for your users,
+not a security feature. Both file extension and content type can easily be
+spoofed.
+
+In order to limit attachments to an extension or content type, you can provide
+them like this:
+
+``` ruby
+attachment :cv, extension: "pdf"
+attachment :profile_image, content_type: "image/jpeg"
+```
+
+You can also provide a list of content type or extensions:
+
+``` ruby
+attachment :cv, extension: ["pdf", "doc"]
+attachment :profile_image, content_type: ["image/jpeg", "image/png", "image/gif"]
+```
+
+Since the combination of JPEG, PNG and GIF is so common, you can also specify
+this more succinctly like this:
+
+``` ruby
+attachment :profile_image, type: :image
+```
+
+When a user uploads a file with an invalid extension or content type and
+submits the form, they'll be presented with a validation error.
+
 ## Removing attached files
 
 File input fields unfortunately do not have the option of removing an already

data/Rakefile

@@ -4,6 +4,7 @@ require "bundler/gem_tasks"
 require "refile/test_app"
 require "rspec/core/rake_task"
 require "yard"
+require "rubocop/rake_task"
 
 YARD::Rake::YardocTask.new do |t|
   t.files = ["README.md", "lib/**/*.rb"]
@@ -11,6 +12,8 @@ end
 
 RSpec::Core::RakeTask.new(:spec)
 
-task default: :spec
+RuboCop::RakeTask.new
+
+task default: [:spec, :rubocop]
 
 Rails.application.load_tasks

data/config/locales/en.yml

@@ -4,3 +4,5 @@ en:
       messages:
         too_large: "is too large"
         download_failed: "could not be downloaded"
+        invalid_content_type: "has an invalid file format"
+        invalid_extension: "has an invalid file format"

data/config/routes.rb

@@ -1,3 +1,5 @@
-Rails.application.routes.draw do
-  mount Refile.app, at: "attachments", as: :refile_app
+if Refile.automount
+  Rails.application.routes.draw do
+    mount Refile.app, at: Refile.mount_point, as: :refile_app
+  end
 end

data/lib/refile/app.rb

@@ -1,99 +1,124 @@
-require "logger"
 require "json"
+require "sinatra/base"
 
 module Refile
-  class App
-    def initialize(logger: nil, allow_origin: nil)
-      @logger = logger
-      @logger ||= ::Logger.new(nil)
-      @allow_origin = allow_origin
-    end
-
-    # @api private
-    class Proxy
-      def initialize(peek, file)
-        @peek = peek
-        @file = file
-      end
+  class App < Sinatra::Base
+    configure do
+      set :show_exceptions, false
+      set :raise_errors, false
+      set :sessions, false
+      set :logging, false
+      set :dump_errors, false
+    end
 
-      def close
-        @file.close
+    before do
+      content_type ::File.extname(request.path), default: "application/octet-stream"
+      if Refile.allow_origin
+        response["Access-Control-Allow-Origin"] = Refile.allow_origin
+        response["Access-Control-Allow-Headers"] = request.env["HTTP_ACCESS_CONTROL_REQUEST_HEADERS"].to_s
+        response["Access-Control-Allow-Method"] = request.env["HTTP_ACCESS_CONTROL_REQUEST_METHOD"].to_s
       end
+    end
 
-      def each(&block)
-        block.call(@peek)
-        @file.each(&block)
-      end
+    get "/:backend/:id/:filename" do
+      set_expires_header
+      stream_file(file)
     end
 
-    def call(env)
-      @logger.info { "Refile: #{env["REQUEST_METHOD"]} #{env["PATH_INFO"]}" }
+    get "/:backend/:processor/:id/:file_basename.:extension" do
+      set_expires_header
+      stream_file processor.call(file, format: params[:extension])
+    end
 
-      backend_name, *args = env["PATH_INFO"].sub(/^\//, "").split("/")
-      backend = Refile.backends[backend_name]
+    get "/:backend/:processor/:id/:filename" do
+      set_expires_header
+      stream_file processor.call(file)
+    end
 
-      if env["REQUEST_METHOD"] == "GET" and backend and args.length >= 2
-        *process_args, id, filename = args
-        format = ::File.extname(filename)[1..-1]
+    get "/:backend/:processor/*/:id/:file_basename.:extension" do
+      set_expires_header
+      stream_file processor.call(file, *params[:splat].first.split("/"), format: params[:extension])
+    end
 
-        @logger.debug { "Refile: serving #{id.inspect} from #{backend_name} backend which is of type #{backend.class}" }
+    get "/:backend/:processor/*/:id/:filename" do
+      set_expires_header
+      stream_file processor.call(file, *params[:splat].first.split("/"))
+    end
 
-        file = backend.get(id)
+    options "/:backend" do
+      ""
+    end
 
-        unless process_args.empty?
-          name = process_args.shift
-          processor = Refile.processors[name]
-          unless processor
-            @logger.debug { "Refile: no such processor #{name.inspect}" }
-            return not_found
-          end
-          file = if format
-            processor.call(file, *process_args, format: format)
-          else
-            processor.call(file, *process_args)
-          end
-        end
+    post "/:backend" do
+      backend = Refile.backends[params[:backend]]
+      halt 404 unless backend && Refile.direct_upload.include?(params[:backend])
+      tempfile = request.params.fetch("file").fetch(:tempfile)
+      file = backend.upload(tempfile)
+      content_type :json
+      { id: file.id }.to_json
+    end
 
-        peek = begin
-          file.read(Refile.read_chunk_size)
-        rescue => e
-          log_error(e)
-          return not_found
-        end
+    not_found do
+      content_type :text
+      "not found"
+    end
 
-        headers = {}
-        headers["Access-Control-Allow-Origin"] = @allow_origin if @allow_origin
+    error do |error_thrown|
+      log_error("Error -> #{error_thrown}")
+      error_thrown.backtrace.each do |line|
+        log_error(line)
+      end
+      content_type :text
+      "error"
+    end
 
-        [200, headers, Proxy.new(peek, file)]
-      elsif env["REQUEST_METHOD"] == "POST" and backend and args.empty? and Refile.direct_upload.include?(backend_name)
-        @logger.debug { "Refile: uploading to #{backend_name} backend which is of type #{backend.class}" }
+  private
 
-        tempfile = Rack::Request.new(env).params.fetch("file").fetch(:tempfile)
-        file = backend.upload(tempfile)
+    def set_expires_header
+      expires Refile.content_max_age, :public, :must_revalidate
+    end
 
-        [200, { "Content-Type" => "application/json" }, [{ id: file.id }.to_json]]
-      else
-        not_found
+    def logger
+      Refile.logger
+    end
+
+    def stream_file(file)
+      stream do |out|
+        file.each do |chunk|
+          out << chunk
+        end
       end
-    rescue => e
-      log_error(e)
-      [500, {}, ["error"]]
     end
 
-  private
+    def backend
+      backend = Refile.backends[params[:backend]]
+      unless backend
+        log_error("Could not find backend: #{params[:backend]}")
+        halt 404
+      end
+      backend
+    end
 
-    def not_found
-      [404, {}, ["not found"]]
+    def file
+      file = backend.get(params[:id])
+      unless file.exists?
+        log_error("Could not find attachment by id: #{params[:id]}")
+        halt 404
+      end
+      file
     end
 
-    def log_error(e)
-      if @logger.debug?
-        @logger.debug "Refile: unable to read file"
-        @logger.debug "#{e.class}: #{e.message}"
-        e.backtrace.each do |line|
-          @logger.debug "  #{line}"
-        end
+    def processor
+      processor = Refile.processors[params[:processor]]
+      unless processor
+        log_error("Could not find processor: #{params[:processor]}")
+        halt 404
       end
+      processor
+    end
+
+    def log_error(message)
+      logger.error "#{self.class.name}: #{message}"
     end
   end
 end

data/lib/refile/attacher.rb

@@ -0,0 +1,115 @@
+module Refile
+  # @api private
+  class Attacher
+    attr_reader :record, :name, :cache, :store, :cache_id, :options, :errors, :type, :extensions, :content_types
+    attr_accessor :remove
+
+    def initialize(record, name, cache:, store:, raise_errors: true, type: nil, extension: nil, content_type: nil)
+      @record = record
+      @name = name
+      @raise_errors = raise_errors
+      @cache = Refile.backends.fetch(cache.to_s)
+      @store = Refile.backends.fetch(store.to_s)
+      @type = type
+      @extensions = [extension].flatten if extension
+      @content_types = [content_type].flatten if content_type
+      @content_types ||= %w[image/jpeg image/gif image/png] if type == :image
+      @errors = []
+    end
+
+    def id
+      record.send(:"#{name}_id")
+    end
+
+    def id=(id)
+      record.send(:"#{name}_id=", id) unless record.frozen?
+    end
+
+    def get
+      if cached?
+        cache.get(cache_id)
+      elsif id and not id == ""
+        store.get(id)
+      end
+    end
+
+    def valid?(uploadable)
+      @errors = []
+      @errors << :invalid_extension if @extensions and not valid_extension?(uploadable)
+      @errors << :invalid_content_type if @content_types and not valid_content_type?(uploadable)
+      @errors << :too_large if cache.max_size and uploadable.size >= cache.max_size
+      @errors.empty?
+    end
+
+    def cache!(uploadable)
+      if valid?(uploadable)
+        @cache_file = cache.upload(uploadable)
+        @cache_id = @cache_file.id
+      elsif @raise_errors
+        raise Refile::Invalid, @errors.join(", ")
+      end
+    end
+
+    def download(url)
+      if url and not url == ""
+        cache!(RestClient::Request.new(method: :get, url: url, raw_response: true).execute.file)
+      end
+    rescue RestClient::Exception
+      @errors = [:download_failed]
+      raise if @raise_errors
+    end
+
+    def cache_id=(id)
+      @cache_id = id unless @cache_file
+    end
+
+    def store!
+      if remove?
+        delete!
+      elsif cached?
+        file = store.upload(cache.get(cache_id))
+        delete!
+        self.id = file.id
+      end
+    end
+
+    def delete!
+      if cached?
+        cache.delete(cache_id)
+        @cache_id = nil
+        @cache_file = nil
+      end
+      store.delete(id) if id
+      self.id = nil
+    end
+
+    def remove?
+      remove and remove != "" and remove !~ /\A0|false$\z/
+    end
+
+    def accept
+      if content_types
+        content_types.join(",")
+      elsif extensions
+        extensions.map { |e| ".#{e}" }.join(",")
+      end
+    end
+
+  private
+
+    def valid_content_type?(uploadable)
+      content_type = Refile.extract_content_type(uploadable) or return false
+      @content_types.include?(content_type)
+    end
+
+    def valid_extension?(uploadable)
+      filename = Refile.extract_filename(uploadable) or return false
+      extension = ::File.extname(filename).sub(/^\./, "")
+      @extensions.include?(extension)
+    end
+
+    def cached?
+      cache_id and not cache_id == ""
+    end
+  end
+end

data/lib/refile/attachment/active_record.rb

@@ -6,22 +6,22 @@ module Refile
       # Attachment method which hooks into ActiveRecord models
       #
       # @see Refile::Attachment#attachment
-      def attachment(name, cache: :cache, store: :store, raise_errors: false)
+      def attachment(name, raise_errors: false, **)
         super
 
-        attachment = "#{name}_attachment"
+        attacher = "#{name}_attacher"
 
         validate do
-          errors = send(attachment).errors
+          errors = send(attacher).errors
           self.errors.add(name, *errors) unless errors.empty?
         end
 
         before_save do
-          send(attachment).store!
+          send(attacher).store!
         end
 
         after_destroy do
-          send(attachment).delete!
+          send(attacher).delete!
         end
       end
     end