@@ -1,5 +1,6 @@ require 'open-uri' require 'base64' +require 'digest/sha1' # Load RMagick begin init.rb @@ -17,16 +17,27 @@ module Fleximage module ClassMethods # Invoke this method to enable this controller to allow editing of images via Aviary - def editable_in_aviary(model_class) + def editable_in_aviary(model_class, options = {}) + unless options.has_key?(:secret) + raise ArgumentError, ":secret key in options is required.\nExample: editable_in_aviary(Photo, :secret => \"My-deep-dark-secret\")" + end + # Don't verify authenticity for aviary callback protect_from_forgery :except => :aviary_image_update # Include the necesary instance methods include Fleximage::AviaryController::InstanceMethods + # Add before_filter to secure aviary actions + before_filter :aviary_image_security, :only => [:aviary_image, :aviary_image_update] + + # Allow the view access to the image hash generation method + helper_method :aviary_image_hash + # Save the Fleximage model class model_class = model_class.constantize if model_class.is_a?(String) dsl_accessor :aviary_model_class, :default => model_class + dsl_accessor :aviary_secret, :default => options[:secret] end end @@ -35,19 +46,29 @@ module Fleximage # Deliver the master image to aviary def aviary_image - model_class = self.class.aviary_model_class - @model = model_class.find(params[:id]) - render :text => @model.load_image.to_blob, :content_type => Mime::Type.lookup_by_extension(model_class.image_storage_format.to_s) + render :text => @model.load_image.to_blob, + :content_type => Mime::Type.lookup_by_extension(self.class.aviary_model_class.image_storage_format.to_s) end # Aviary posts the edited image back to the controller here def aviary_image_update - @model = self.class.aviary_model_class.find(params[:id]) @model.image_file_url = params[:imageurl] @model.save render :text => 'Image Updated From Aviary' end + protected + def aviary_image_hash(model) + Digest::SHA1.hexdigest("fleximage-aviary-#{model.id}-#{model.created_at}-#{self.class.aviary_secret}") + end + + def aviary_image_security + @model = self.class.aviary_model_class.find(params[:id]) + unless aviary_image_hash(@model) == params[:key] + render :text => '<h1>403 Not Authorized</h1>', :status => '403' + end + end + end end lib/fleximage/aviary_controller.rb @@ -28,8 +28,9 @@ module Fleximage # # All other options are passed directly to the @link_to@ helper. def link_to_edit_in_aviary(text, model, options = {}) - image_url = options.delete(:image_url) || url_for(:action => 'aviary_image', :id => model, :only_path => false) - post_url = options.delete(:image_update_url) || url_for(:action => 'aviary_image_update', :id => model, :only_path => false) + key = aviary_image_hash(model) + image_url = options.delete(:image_url) || url_for(:action => 'aviary_image', :id => model, :only_path => false, :key => key) + post_url = options.delete(:image_update_url) || url_for(:action => 'aviary_image_update', :id => model, :only_path => false, :key => key) api_key = Fleximage::AviaryController.api_key url = "http://aviary.com/flash/aviary/index.aspx?tid=1&phoenix&apil=#{api_key}&loadurl=#{CGI.escape image_url}&posturl=#{CGI.escape post_url}" lib/fleximage/helper.rb c9baa88cba13d43dbe06e8a6e8f332ab0bfcdd5c Alex Wayne alex@beautifulpixel.com http://github.com/Squeegy/fleximage/commit/996afb7928ee011867986416cd5a6dc114dfb8ac 996afb7928ee011867986416cd5a6dc114dfb8ac 2009-05-24T12:49:20-07:00 2009-05-24T12:49:20-07:00 Added some much needed security to aviary integration. 1e180332552c66bf2294d39b040c011eac3713c8 Alex Wayne alex@beautifulpixel.com