Remove private uploads endpoint, and moveable attachments as authorized downloads will go through uploads endpoint

Author: tsubik

app/controllers/private_uploads_controller.rb

@@ -2,6 +2,8 @@
 
 class UploadsController < ApplicationController
   rescue_from ActionController::MissingFile, with: :raise_not_found_exception
+  rescue_from SecurityError, with: :raise_not_found_exception
+  rescue_from CanCan::AccessDenied, with: :raise_not_found_exception
 
   MODELS_OVERRIDES = {
     "operator_document_file" => "document_file",
@@ -58,22 +60,37 @@ def parse_upload_path
   def ensure_valid_db_record
     raise_not_found_exception unless allowed_models.include?(@model_name)
 
-    model_class = @model_name.classify.constantize
-    raise_not_found_exception unless model_class.uploaders.keys.map(&:to_s).include?(@uploader_name) # ensure valid uploader
+    @model_class = @model_name.classify.constantize
+    raise_not_found_exception unless @model_class.uploaders.keys.map(&:to_s).include?(@uploader_name) # ensure valid uploader
 
-    record = model_class.find(@record_id)
-    uploader = record.public_send(@uploader_name)
-    db_filenames = [uploader.file.file, *uploader.versions.values.map { |v| v.file.file }].map { |f| File.basename(f) }
+    find_record
+    ensure_valid_filename
+  end
+
+  def find_record
+    @record = if current_user.present? && current_user.admin?
+      @model_class.with_deleted.find(@record_id)
+    else
+      @model_class.find(@record_id)
+    end
+    @uploader = @record.public_send(@uploader_name)
+  rescue ActiveRecord::RecordNotFound, NameError
+    raise_not_found_exception
+  end
+
+  def ensure_valid_filename
+    # do not check for admins, could download other files like from papertrail history
+    return if current_user.present? && current_user.admin?
+
+    db_filenames = [@uploader.file.file, *@uploader.versions.values.map { |v| v.file.file }].map { |f| File.basename(f) }
 
     unless db_filenames.include?(File.basename(@sanitized_filepath))
       raise_not_found_exception
     end
-  rescue NameError, ActiveRecord::RecordNotFound
-    raise_not_found_exception
   end
 
   def allowed_models
-    uploads_root = ApplicationUploader.new.public_root.join("uploads")
+    uploads_root = ApplicationUploader.new.root.join("uploads")
     Dir.entries(uploads_root)
       .select { |entry| File.directory?(uploads_root.join(entry)) }
       .reject { |entry| entry.start_with?(".") || entry == "tmp" }

app/controllers/uploads_controller.rb

@@ -33,7 +33,6 @@ def initialize(user = nil)
         can [:read], User, id: user.id
       end
     end
-
     can :read, [Country, Fmu, Category, Subcategory, Law, Species,
       OperatorDocument, OperatorDocumentHistory, RequiredOperatorDocument,
       RequiredOperatorDocumentGroup, ObservationReport, ObservationDocument,

app/models/ability.rb

@@ -33,7 +33,6 @@ class GovDocument < ApplicationRecord
   belongs_to :required_gov_document, -> { with_archived }, inverse_of: :gov_documents
 
   mount_base64_uploader :attachment, GovDocumentUploader
-  include MoveableAttachment
 
   before_validation :set_expire_date, if: proc { |d| d.required_gov_document.valid_period? }
   before_validation :clear_wrong_fields
@@ -43,11 +42,7 @@ class GovDocument < ApplicationRecord
   validates :start_date, presence: true, if: proc { |d| d.required_gov_document.valid_period? && d.has_data? }
   validates :expire_date, presence: true, if: proc { |d| d.required_gov_document.valid_period? && d.has_data? }
 
-  after_update :move_previous_attachment_to_private_directory, if: :saved_change_to_attachment?
-
-  skip_callback :commit, :after, :remove_attachment!
-  after_destroy :move_attachment_to_private_directory
-  after_restore :move_attachment_to_public_directory
+  skip_callback :commit, :after, :remove_attachment! # skip removal after destroying the record, skip after update done in uploader
   after_real_destroy :remove_attachment!
 
   scope :with_archived, -> { unscope(where: :deleted_at) }
@@ -97,27 +92,6 @@ def set_country
     self.country_id = required_gov_document.country_id
   end
 
-  def move_previous_attachment_to_private_directory
-    previous_attachment_filename = previous_changes[:attachment][0]
-    return if previous_attachment_filename.blank?
-
-    from = File.join(attachment.public_root, attachment.store_dir, previous_attachment_filename)
-    to = File.join(attachment.private_root, attachment.store_dir, previous_attachment_filename)
-    FileUtils.makedirs(File.dirname(to))
-    system "mv #{Shellwords.escape(from)} #{Shellwords.escape(to)}"
-  end
-
-  # we only want to move current attachment back to public directory
-  def move_attachment_to_public_directory
-    attachment_attr = self[:attachment]
-    return if attachment_attr.nil?
-
-    from = File.join(attachment.private_root, attachment.store_dir, attachment_attr)
-    to = File.join(attachment.public_root, attachment.store_dir, attachment_attr)
-    FileUtils.makedirs(File.dirname(to))
-    system "mv #{Shellwords.escape(from)} #{Shellwords.escape(to)}"
-  end
-
   def clear_wrong_fields
     case required_gov_document.document_type
     when "file"

app/models/concerns/moveable_attachment.rb

@@ -18,7 +18,6 @@ class ObservationDocument < ApplicationRecord
   has_paper_trail
   acts_as_paranoid
   mount_base64_uploader :attachment, ObservationDocumentUploader
-  include MoveableAttachment
 
   enum :document_type, {
     "Government Documents" => 0, "Company Documents" => 1, "Photos" => 2,
@@ -32,7 +31,5 @@ class ObservationDocument < ApplicationRecord
   has_and_belongs_to_many :observations, inverse_of: :observation_documents
 
   skip_callback :commit, :after, :remove_attachment!
-  after_destroy :move_attachment_to_private_directory
-  after_restore :move_attachment_to_public_directory
   after_real_destroy :remove_attachment!
 end

app/models/gov_document.rb

@@ -17,7 +17,6 @@
 class ObservationReport < ApplicationRecord
   has_paper_trail
   mount_base64_uploader :attachment, ObservationReportUploader
-  include MoveableAttachment
 
   acts_as_paranoid
 
@@ -35,8 +34,6 @@ class ObservationReport < ApplicationRecord
   validates :publication_date, presence: true
 
   skip_callback :commit, :after, :remove_attachment!
-  after_destroy :move_attachment_to_private_directory
-  after_restore :move_attachment_to_public_directory
   after_real_destroy :remove_attachment!
 
   attr_accessor :skip_observers_sync

app/models/observation_document.rb

@@ -4,9 +4,9 @@ class ApplicationUploader < CarrierWave::Uploader::Base
   storage :file
 
   def root
-    return private_root if private_upload?
+    return Rails.root.join("tmp") if Rails.env.test?
 
-    public_root
+    Rails.root
   end
 
   def cache_dir
@@ -15,12 +15,6 @@ def cache_dir
     super
   end
 
-  def url(*args)
-    return super&.gsub("/uploads/", "/private/uploads/") if private_upload?
-
-    super
-  end
-
   def store_dir
     "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
   end
@@ -29,22 +23,6 @@ def exists?
     file.present?
   end
 
-  def private_upload?
-    false
-  end
-
-  def public_root
-    return Rails.root.join("tmp") if Rails.env.test?
-
-    Rails.root
-  end
-
-  def private_root
-    return Rails.root.join("tmp", "private") if Rails.env.test?
-
-    Rails.root.join("private")
-  end
-
   def original_filename
     if file.present?
       file.filename

app/models/observation_report.rb

@@ -17,10 +17,6 @@ def filename
     sanitize_filename(filename)
   end
 
-  def private_upload?
-    model.deleted? || !model.paper_trail.live?
-  end
-
   protected
 
   def random_token

app/uploaders/application_uploader.rb

@@ -19,8 +19,4 @@ def filename
 
     sanitize_filename(filename + File.extname(super))
   end
-
-  def private_upload?
-    model.deleted?
-  end
 end