From 36524d4cd999e8cf252e628e8f9dcfc520e72088 Mon Sep 17 00:00:00 2001 From: Sylvain Date: Tue, 27 Sep 2016 14:08:04 +0200 Subject: [PATCH] display list of allowed extensions in project's CAD attachments --- CHANGELOG.md | 3 ++- README.md | 23 +++++++++++++++++++ .../controllers/projects.coffee.erb | 19 +++++++++------ app/assets/javascripts/router.coffee.erb | 6 +++++ .../javascripts/services/project.coffee | 4 ++++ app/assets/templates/projects/_form.html.erb | 22 ++++++++++-------- app/controllers/api/projects_controller.rb | 4 ++++ app/models/project_cao.rb | 10 +------- app/uploaders/project_cao_uploader.rb | 2 +- config/application.yml.default | 3 +++ config/locales/app.shared.en.yml | 1 + config/locales/app.shared.fr.yml | 1 + config/routes.rb | 3 ++- 13 files changed, 73 insertions(+), 28 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a1d758255..e5a3aa95e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -38,6 +38,7 @@ - Admins can toggle reminders on/off and customize the delay - More file types allowed as project CAD attachements - Project CAD attachements are now checked by MIME type in addition of extension check +- Project CAD attachement allowed are now configured in environment variables - Display strategy's name in SSO providers list - SSO: documentation improved with an usage example - SSO: mapped fields display their data type. Integers, booleans and dates allow some transformations. @@ -56,7 +57,7 @@ - [TODO DEPLOY] `rake fablab:es_add_event_filters` - [TODO DEPLOY] `rake db:migrate` - [TODO DEPLOY] `bundle install` -- [TODO DEPLOY] add `EXCEL_DATE_FORMAT` environment variable in `application.yml` +- [TODO DEPLOY] add `EXCEL_DATE_FORMAT`, `ALLOWED_EXTENSIONS` and `ALLOWED_MIME_TYPES` environment variable in `application.yml` - [OPTIONAL] `rake fablab:fix:assign_category_to_uncategorized_events` (will put every non-categorized events into a new category called "No Category", to ease re-categorization) ## v2.3.1 2016 September 26 diff --git a/README.md b/README.md index 058494c52..743887833 100644 --- a/README.md +++ b/README.md @@ -239,6 +239,29 @@ Retrieve them from https://apps.twitter.com This is optional. You can follow [this guide to get your personal App ID](https://developers.facebook.com/docs/apps/register). If you do so, you'll be able to customize and get statistics about project shares on Facebook. + LOG_LEVEL + +This parameter configures the logs verbosity. +Available log levels can be found [here](http://guides.rubyonrails.org/debugging_rails_applications.html#log-levels). + + ALLOWED_EXTENSIONS + +Exhaustive list of file's extensions available for public upload as project's CAO attachements. +Each item in the list must be separated from the others by a space char. +You will probably want to check that this list match the `ALLOWED_MIME_TYPES` values below. +Please consider that allowing file archives (eg. ZIP) or binary executable (eg. EXE) may result in a **dangerous** security issue and must be avoided in any cases. + + ALLOWED_MIME_TYPES + +Exhaustive list of file's mime-types available for public upload as project's CAO attachements. +Each item in the list must be separated from the others by a space char. +You will probably want to check that this list match the `ALLOWED_EXTENSIONS` values above. +Please consider that allowing file archives (eg. application/zip) or binary executable (eg. application/exe) may result in a **dangerous** security issue and must be avoided in any cases. + + Settings related to Open Projects + +See the [Open Projects](#open-projects) section for a detailed description of these parameters. + Settings related to i18n See the [Settings](#i18n-settings) section of the [Internationalization (i18n)](#i18n) paragraph for a detailed description of these parameters. diff --git a/app/assets/javascripts/controllers/projects.coffee.erb b/app/assets/javascripts/controllers/projects.coffee.erb index a30a96d9a..c34e97e4d 100644 --- a/app/assets/javascripts/controllers/projects.coffee.erb +++ b/app/assets/javascripts/controllers/projects.coffee.erb @@ -12,6 +12,7 @@ # - $scope.components = [{Component}] # - $scope.themes = [{Theme}] # - $scope.licences = [{Licence}] +# - $scope.allowedExtensions = [{String}] # - $scope.submited(content) # - $scope.cancel() # - $scope.addFile() @@ -26,7 +27,7 @@ # - $state (Ui-Router) [ 'app.public.projects_show', 'app.public.projects_list' ] ## class ProjectsController - constructor: ($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, _t)-> + constructor: ($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t)-> ## Retrieve the list of machines from the server Machine.query().$promise.then (data)-> @@ -52,8 +53,12 @@ class ProjectsController id: d.id name: d.name + ## Total number of documentation steps for the current project $scope.totalSteps = $scope.project.project_steps_attributes.length + ## List of extensions allowed for CAD attachements upload + $scope.allowedExtensions = allowedExtensions + ## @@ -315,8 +320,8 @@ Application.Controllers.controller "ProjectsController", ["$scope", "$state", 'P ## # Controller used in the project creation page ## -Application.Controllers.controller "NewProjectController", ["$scope", "$state", 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'Diacritics', 'dialogs', '_t' -, ($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, Diacritics, dialogs, _t) -> +Application.Controllers.controller "NewProjectController", ["$scope", "$state", 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'Diacritics', 'dialogs', 'allowedExtensions', '_t' +, ($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, Diacritics, dialogs, allowedExtensions, _t) -> CSRF.setMetaTags() ## API URL where the form will be posted @@ -333,7 +338,7 @@ Application.Controllers.controller "NewProjectController", ["$scope", "$state", $scope.matchingMembers = [] ## Using the ProjectsController - new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, _t) + new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t) ] @@ -341,8 +346,8 @@ Application.Controllers.controller "NewProjectController", ["$scope", "$state", ## # Controller used in the project edition page ## -Application.Controllers.controller "EditProjectController", ["$scope", "$state", '$stateParams', 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'projectPromise', 'Diacritics', 'dialogs', '_t' -, ($scope, $state, $stateParams, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, projectPromise, Diacritics, dialogs, _t) -> +Application.Controllers.controller "EditProjectController", ["$scope", "$state", '$stateParams', 'Project', 'Machine', 'Member', 'Component', 'Theme', 'Licence', '$document', 'CSRF', 'projectPromise', 'Diacritics', 'dialogs', 'allowedExtensions', '_t' +, ($scope, $state, $stateParams, Project, Machine, Member, Component, Theme, Licence, $document, CSRF, projectPromise, Diacritics, dialogs, allowedExtensions, _t) -> CSRF.setMetaTags() ## API URL where the form will be posted @@ -359,7 +364,7 @@ Application.Controllers.controller "EditProjectController", ["$scope", "$state", name: u.full_name ## Using the ProjectsController - new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, _t) + new ProjectsController($scope, $state, Project, Machine, Member, Component, Theme, Licence, $document, Diacritics, dialogs, allowedExtensions, _t) ] diff --git a/app/assets/javascripts/router.coffee.erb b/app/assets/javascripts/router.coffee.erb index 8d5984205..5d7f16cc0 100644 --- a/app/assets/javascripts/router.coffee.erb +++ b/app/assets/javascripts/router.coffee.erb @@ -270,6 +270,9 @@ angular.module('application.router', ['ui.router']). templateUrl: '<%= asset_path "projects/new.html" %>' controller: 'NewProjectController' resolve: + allowedExtensions: ['Project', (Project)-> + Project.allowedExtensions().$promise + ] translations: [ 'Translations', (Translations) -> Translations.query(['app.logged.projects_new', 'app.shared.project']).$promise ] @@ -296,6 +299,9 @@ angular.module('application.router', ['ui.router']). projectPromise: ['$stateParams', 'Project', ($stateParams, Project)-> Project.get(id: $stateParams.id).$promise ] + allowedExtensions: ['Project', (Project)-> + Project.allowedExtensions().$promise + ] translations: [ 'Translations', (Translations) -> Translations.query(['app.logged.projects_edit', 'app.shared.project']).$promise ] diff --git a/app/assets/javascripts/services/project.coffee b/app/assets/javascripts/services/project.coffee index 96c993506..7cfbaeab6 100644 --- a/app/assets/javascripts/services/project.coffee +++ b/app/assets/javascripts/services/project.coffee @@ -11,4 +11,8 @@ Application.Services.factory 'Project', ["$resource", ($resource)-> method: 'GET' url: '/api/projects/search' isArray: false + allowedExtensions: + method: 'GET' + url: '/api/projects/allowed_extensions' + isArray: true ] diff --git a/app/assets/templates/projects/_form.html.erb b/app/assets/templates/projects/_form.html.erb index e660e0501..8c75407e4 100644 --- a/app/assets/templates/projects/_form.html.erb +++ b/app/assets/templates/projects/_form.html.erb @@ -42,18 +42,22 @@
- - +
+ + -
-
- {{file.attachment}} +
+
+ {{file.attachment}} +
+ {{ 'browse' }} + {{ 'change' }} +
- {{ 'browse' }} - {{ 'change' }} -
- +
+ +
{{ 'add_a_new_file' | translate }}
diff --git a/app/controllers/api/projects_controller.rb b/app/controllers/api/projects_controller.rb index 2a6d4fffe..6dcc23b7b 100644 --- a/app/controllers/api/projects_controller.rb +++ b/app/controllers/api/projects_controller.rb @@ -57,6 +57,10 @@ class API::ProjectsController < API::ApiController render :index end + def allowed_extensions + render json: ENV['ALLOWED_EXTENSIONS'].split(' '), status: :ok + end + private def set_project @project = Project.find(params[:id]) diff --git a/app/models/project_cao.rb b/app/models/project_cao.rb index 49fe45248..a394a7811 100644 --- a/app/models/project_cao.rb +++ b/app/models/project_cao.rb @@ -2,13 +2,5 @@ class ProjectCao < Asset mount_uploader :attachment, ProjectCaoUploader validates :attachment, file_size: { maximum: 20.megabytes.to_i } - validates :attachment, :file_mime_type => { - :content_type => %w(application/pdf application/postscript application/illustrator - image/x-eps image/svg+xml application/sla application/dxf application/acad application/dwg - application/octet-stream application/step application/iges model/iges x-world/x-3dmf - application/ application/vnd.openxmlformats-officedocument.wordprocessingml.document - image/png text/x-arduino text/plain application/scad application/vnd.sketchup.skp - application/x-koan application/vnd-koan koan/x-skm application/vnd.koan application/x-tex - application/x-latex) - } + validates :attachment, :file_mime_type => { :content_type => ENV['ALLOWED_MIME_TYPES'].split(' ') } end diff --git a/app/uploaders/project_cao_uploader.rb b/app/uploaders/project_cao_uploader.rb index 11777d649..fb5e4903e 100644 --- a/app/uploaders/project_cao_uploader.rb +++ b/app/uploaders/project_cao_uploader.rb @@ -39,7 +39,7 @@ class ProjectCaoUploader < CarrierWave::Uploader::Base # Add a white list of extensions which are allowed to be uploaded. # For images you might use something like this: def extension_white_list - %w(pdf ai eps cad math svg stl dxf dwg obj step iges igs 3dm 3dmf doc docx png ino scad fcad skp sldprt sldasm slddrw slddrt tex latex ps) + ENV['ALLOWED_EXTENSIONS'].split(' ') end # Override the filename of the uploaded files: diff --git a/config/application.yml.default b/config/application.yml.default index 723fb39b1..c46ee4815 100644 --- a/config/application.yml.default +++ b/config/application.yml.default @@ -56,3 +56,6 @@ OPENLAB_APP_ID: OPENLAB_BASE_URI: 'https://openprojects.fab-manager.com' LOG_LEVEL: 'debug' + +ALLOWED_EXTENSIONS: pdf ai eps cad math svg stl dxf dwg obj step iges igs 3dm 3dmf doc docx png ino scad fcad skp sldprt sldasm slddrw slddrt tex latex ps +ALLOWED_MIME_TYPES: application/pdf application/postscript application/illustrator image/x-eps image/svg+xml application/sla application/dxf application/acad application/dwg application/octet-stream application/step application/iges model/iges x-world/x-3dmf application/ application/vnd.openxmlformats-officedocument.wordprocessingml.document image/png text/x-arduino text/plain application/scad application/vnd.sketchup.skp application/x-koan application/vnd-koan koan/x-skm application/vnd.koan application/x-tex application/x-latex diff --git a/config/locales/app.shared.en.yml b/config/locales/app.shared.en.yml index d76a8ffec..c8d06c2f5 100644 --- a/config/locales/app.shared.en.yml +++ b/config/locales/app.shared.en.yml @@ -128,6 +128,7 @@ en: illustration: "Illustration" add_an_illustration: "Add an illustration" CAD_file: "CAD file" + allowed_extensions: "Allowed extensions:" add_a_new_file: "Add a new file" steps: "Steps" step_title: "Step title" diff --git a/config/locales/app.shared.fr.yml b/config/locales/app.shared.fr.yml index a10871241..8e18fe73a 100644 --- a/config/locales/app.shared.fr.yml +++ b/config/locales/app.shared.fr.yml @@ -128,6 +128,7 @@ fr: illustration: "Illustration" add_an_illustration: "Ajouter un visuel" CAD_file: "Fichier CAO" + allowed_extensions: "Extensions autorisées :" add_a_new_file: "Ajouter un nouveau fichier" steps: "Étapes" step_title: "Titre de l'étape" diff --git a/config/routes.rb b/config/routes.rb index 66ac9ce89..bfcaac9f6 100644 --- a/config/routes.rb +++ b/config/routes.rb @@ -26,10 +26,11 @@ Rails.application.routes.draw do root 'application#index' namespace :api, as: nil, defaults: { format: :json } do - resources :projects, only: [:index, :last_published, :show, :create, :update, :destroy] do + resources :projects, only: [:index, :show, :create, :update, :destroy] do collection do get :last_published get :search + get :allowed_extensions end end resources :openlab_projects, only: :index