/
private_files_controller.rb
40 lines (31 loc) · 1.39 KB
/
private_files_controller.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
class PrivateFilesController < ApplicationController
class UnknownTypeError < StandardError
end
class PermissionDeniedError < StandardError
end
def show
# Only respond to known types to avoid code injection attacks
raise UnknownTypeError unless %w(documents image_files audio_recordings videos).member?(params[:type])
id = (params[:a] + params[:b] + params[:c]).to_i
@record = eval("#{params[:type].classify}").find(id)
@current_basket = @record.basket
if permitted_to_view_private_items?
send_file @record.full_filename,
:type => @record.content_type,
:length => @record.size,
:disposition => 'inline'
else
raise PermissionDeniedError
end
rescue ActiveRecord::RecordNotFound
logger.warn("#{Time.now} - Requested File Not Found: #{params.inspect}")
render :text => "Error 404: File Not Found", :status => 404
rescue UnknownTypeError
logger.warn("#{Time.now} - Unknown type requested: #{params.inspect}")
render :text => "Error 400: Bad Request", :status => 400
rescue PermissionDeniedError
logger.warn("#{Time.now} - Permission Denied While Requesting Private Item: #{params.inspect}")
session[:has_access_on_baskets] = logged_in? ? current_user.get_basket_permissions : Hash.new
render :text => "Error 401: Unauthorized", :status => 401
end
end