wekan/collections/attachments.js

Attachments = new FS.Collection('attachments', {
  stores: [

    // XXX Add a new store for cover thumbnails so we don't load big images in
    // the general board view
    new FS.Store.GridFS('attachments')
  ]
});

if (Meteor.isServer) {
  Attachments.allow({
    insert: function(userId, doc) {
      return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    },
    update: function(userId, doc) {
      return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    },
    remove: function(userId, doc) {
      return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    },
    // We authorize the attachment download either:
    // - if the board is public, everyone (even unconnected) can download it
    // - if the board is private, only board members can download it
    //
    // XXX We have a bug with the `userId` verification:
    //
    //   https://github.com/CollectionFS/Meteor-CollectionFS/issues/449
    //
    download: function(userId, doc) {
      var query = {
        $or: [
          { 'members.userId': userId },
          { permission: 'public' }
        ]
      };
      return !! Boards.findOne(doc.boardId, query);
    },

    fetch: ['boardId']
  });
}

// XXX Enforce a schema for the Attachments CollectionFS

Attachments.files.before.insert(function(userId, doc) {
  var file = new FS.File(doc);
  doc.userId = userId;

  // If the uploaded document is not an image we need to enforce browser
  // download instead of execution. This is particularly important for HTML
  // files that the browser will just execute if we don't serve them with the
  // appropriate `application/octet-stream` MIME header which can lead to user
  // data leaks. I imagine other formats (like PDF) can also be attack vectors.
  // See https://github.com/libreboard/libreboard/issues/99
  // XXX Should we use `beforeWrite` option of CollectionFS instead of
  // collection-hooks?
  if (! file.isImage()) {
    file.original.type = 'application/octet-stream';
  }
});

if (Meteor.isServer) {
  Attachments.files.after.insert(function(userId, doc) {
    Activities.insert({
      type: 'card',
      activityType: 'addAttachment',
      attachmentId: doc._id,
      boardId: doc.boardId,
      cardId: doc.cardId,
      userId: userId
    });
  });

  Attachments.files.after.remove(function(userId, doc) {
    Activities.remove({
      attachmentId: doc._id
    });
  });
}
Renaissance _,,ad8888888888bba,_ ,ad88888I888888888888888ba, ,88888888I88888888888888888888a, ,d888888888I8888888888888888888888b, d88888PP"""" ""YY88888888888888888888b, ,d88"'__,,--------,,,,.;ZZZY8888888888888, ,8IIl'" ;;l"ZZZIII8888888888, ,I88l;' ;lZZZZZ888III8888888, ,II88Zl;. ;llZZZZZ888888I888888, ,II888Zl;. .;;;;;lllZZZ888888I8888b ,II8888Z;; `;;;;;''llZZ8888888I8888, II88888Z;' .;lZZZ8888888I888b II88888Z; _,aaa, .,aaaaa,__.l;llZZZ88888888I888 II88888IZZZZZZZZZ, .ZZZZZZZZZZZZZZ;llZZ88888888I888, II88888IZZ<'(@@>Z\| \|ZZZ<'(@@>ZZZZ;;llZZ888888888I88I ,II88888; `""" ;\| \|ZZ; `""" ;;llZ8888888888I888 II888888l `;; .;llZZ8888888888I888, ,II888888Z; ;;; .;;llZZZ8888888888I888I III888888Zl; .., `;; ,;;lllZZZ88888888888I888 II88888888Z;;...;(_ _) ,;;;llZZZZ88888888888I888, II88888888Zl;;;;;' `--'Z;. .,;;;;llZZZZ88888888888I888b ]I888888888Z;;;;' ";llllll;..;;;lllZZZZ88888888888I8888, II888888888Zl.;;"Y88bd888P";;,..;lllZZZZZ88888888888I8888I II8888888888Zl;.; `"PPP";;;,..;lllZZZZZZZ88888888888I88888 II888888888888Zl;;. `;;;l;;;;lllZZZZZZZZW88888888888I88888 `II8888888888888Zl;. ,;;lllZZZZZZZZWMZ88888888888I88888 II8888888888888888ZbaalllZZZZZZZZZWWMZZZ8888888888I888888, `II88888888888888888b"WWZZZZZWWWMMZZZZZZI888888888I888888b `II88888888888888888;ZZMMMMMMZZZZZZZZllI888888888I8888888 `II8888888888888888 `;lZZZZZZZZZZZlllll888888888I8888888, II8888888888888888, `;lllZZZZllllll;;.Y88888888I8888888b, ,II8888888888888888b .;;lllllll;;;.;..88888888I88888888b, II888888888888888PZI;. .`;;;.;;;..; ...88888888I8888888888, II888888888888PZ;;';;. ;. .;. .;. .. Y8888888I88888888888b, ,II888888888PZ;;' `8888888I8888888888888b, II888888888' 888888I8888888888888888 ,II888888888 ,888888I8888888888888888 ,d88888888888 d888888I8888888888ZZZZZZ ,ad888888888888I 8888888I8888ZZZZZZZZZZZZ 888888888888888' 888888IZZZZZZZZZZZZZZZZZ 8888888888P'8P' Y888ZZZZZZZZZZZZZZZZZZZZ 888888888, " ,ZZZZZZZZZZZZZZZZZZZZZZZ 8888888888, ,ZZZZZZZZZZZZZZZZZZZZZZZZZZ 888888888888a, _ ,ZZZZZZZZZZZZZZZZZZZZ88888888 888888888888888ba,_d' ,ZZZZZZZZZZZZZZZZZ8888888888888 8888888888888888888888bbbaaa,,,______,ZZZZZZZZZZZZZZZ88888888888888888 88888888888888888888888888888888888ZZZZZZZZZZZZZZZ88888888888888888888 8888888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888 888888888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888888888 8888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888 88888888888888888888888888888ZZZZZZZZZZZZZZ888888888888888888888888888 8888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888 Normand 8 88888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888 Veilleux 8 8888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888888888 2015-05-12 19:20:58 +02:00			`Attachments = new FS.Collection('attachments', {`
			`stores: [`

			`// XXX Add a new store for cover thumbnails so we don't load big images in`
			`// the general board view`
			`new FS.Store.GridFS('attachments')`
			`]`
			`});`

			`if (Meteor.isServer) {`
			`Attachments.allow({`
			`insert: function(userId, doc) {`
			`return allowIsBoardMember(userId, Boards.findOne(doc.boardId));`
			`},`
			`update: function(userId, doc) {`
			`return allowIsBoardMember(userId, Boards.findOne(doc.boardId));`
			`},`
			`remove: function(userId, doc) {`
			`return allowIsBoardMember(userId, Boards.findOne(doc.boardId));`
			`},`
			`// We authorize the attachment download either:`
			`// - if the board is public, everyone (even unconnected) can download it`
			`// - if the board is private, only board members can download it`
			`//`
			// XXX We have a bug with the `userId` verification:
			`//`
			`// https://github.com/CollectionFS/Meteor-CollectionFS/issues/449`
			`//`
			`download: function(userId, doc) {`
			`var query = {`
			`$or: [`
			`{ 'members.userId': userId },`
			`{ permission: 'public' }`
			`]`
			`};`
			`return !! Boards.findOne(doc.boardId, query);`
			`},`

			`fetch: ['boardId']`
			`});`
			`}`

			`// XXX Enforce a schema for the Attachments CollectionFS`

			`Attachments.files.before.insert(function(userId, doc) {`
			`var file = new FS.File(doc);`
			`doc.userId = userId;`

			`// If the uploaded document is not an image we need to enforce browser`
			`// download instead of execution. This is particularly important for HTML`
			`// files that the browser will just execute if we don't serve them with the`
			// appropriate `application/octet-stream` MIME header which can lead to user
			`// data leaks. I imagine other formats (like PDF) can also be attack vectors.`
			`// See https://github.com/libreboard/libreboard/issues/99`
			// XXX Should we use `beforeWrite` option of CollectionFS instead of
			`// collection-hooks?`
			`if (! file.isImage()) {`
			`file.original.type = 'application/octet-stream';`
			`}`
			`});`

			`if (Meteor.isServer) {`
			`Attachments.files.after.insert(function(userId, doc) {`
			`Activities.insert({`
			`type: 'card',`
			`activityType: 'addAttachment',`
			`attachmentId: doc._id,`
			`boardId: doc.boardId,`
			`cardId: doc.cardId,`
			`userId: userId`
			`});`
			`});`

			`Attachments.files.after.remove(function(userId, doc) {`
			`Activities.remove({`
			`attachmentId: doc._id`
			`});`
			`});`
			`}`