use the db settings to validate mime types & extensions + fix texts + force lowercase

2025-01-18 07:52:23 +01:00 · 2020-06-03 17:56:39 +02:00 · 2020-06-03 17:56:39 +02:00 · 6af3f12917
commit 6af3f12917
parent 8f32eb92db
10 changed files with 23 additions and 36 deletions
--- a/app/assets/javascripts/controllers/admin/projects.js
+++ b/app/assets/javascripts/controllers/admin/projects.js
@ -188,9 +188,18 @@ Application.Controllers.controller('AdminProjectsController', ['$scope', '$state
     * @returns {String}
     */
    $scope.removeInitialDot = function (extension) {
-      if (extension.substr(0, 1) === '.') return extension.substr(1);
+      if (extension.substr(0, 1) === '.') return $scope.lower(extension.substr(1));

-      return extension;
+      return $scope.lower(extension);
+    };
+
+    /**
+     * Return the lowercase version of the provided string
+     * @param text {String}
+     * @returns {string}
+     */
+    $scope.lower = function (text) {
+      return text.toLowerCase();
    };

    /**
--- a/app/assets/templates/admin/projects/settings.html.erb
+++ b/app/assets/templates/admin/projects/settings.html.erb
@ -31,7 +31,7 @@
                                 settings="allSettings"
                                 label="app.admin.projects.settings.extensions"
                                 title-new="app.admin.projects.settings.new_extension"
-                                 description-new="app.admin.projects.settings.new_ext_info"
+                                 description-new="app.admin.projects.settings.new_ext_info_html"
                                 before-add="removeInitialDot">
        </select-multiple-setting>
      </div>
@ -40,7 +40,8 @@
                                 settings="allSettings"
                                 label="app.admin.projects.settings.mime_types"
                                 title-new="app.admin.projects.settings.new_mime_type"
-                                 description-new="app.admin.projects.settings.new_type_info">
+                                 description-new="app.admin.projects.settings.new_type_info_html"
+                                 before-add="lower">
        </select-multiple-setting>
      </div>
      <form name="mimeTestForm" class="col-md-6 m-t-lg" ng-upload="onTestFileComplete(content)" upload-options-enable-rails-csrf="true" action="/api/files/mime_type">
--- a/app/assets/templates/admin/settings/select-multiple.html
+++ b/app/assets/templates/admin/settings/select-multiple.html
@ -22,7 +22,7 @@
            <h3 class="modal-title" translate>{{ titleNew }}</h3>
        </div>
        <div class="modal-body">
-            <p class="alert alert-info" ng-show="descriptionNew" translate>{{ descriptionNew }}</p>
+            <p class="alert alert-info" ng-show="descriptionNew" ng-bind-html="descriptionNew | translate"></p>
            <form class="row m-md" name="newSelectOptionForm">
                <input type="text" class="form-control" ng-model="value" required>
            </form>
--- a/app/uploaders/project_cao_uploader.rb
+++ b/app/uploaders/project_cao_uploader.rb
@ -23,11 +23,11 @@ class ProjectCaoUploader < CarrierWave::Uploader::Base
  # Add a white list of extensions which are allowed to be uploaded.
  # For images you might use something like this:
  def extension_whitelist
-    ENV['ALLOWED_EXTENSIONS'].split(' ')
+    Setting.get('allowed_cad_extensions').split(' ')
  end

  def content_type_whitelist
-    ENV['ALLOWED_MIME_TYPES'].split(' ')
+    Setting.get('allowed_cad_mime_types').split(' ')
  end

  private
--- a/config/locales/app.admin.en.yml
+++ b/config/locales/app.admin.en.yml
@ -149,10 +149,10 @@ en:
          validation_info: "Users can upload CAD (Computer Aided Design) files with the documentation of their projects. You can specify which files types are allowed. Use the test input below to determine the MIME type of a file."
          extensions: "Allowed extensions"
          new_extension: "New extension"
-          new_ext_info: "Specify a new file extension to allow these files to be uploaded."
+          new_ext_info_html: "<p>Specify a new file extension to allow these files to be uploaded.</p><p>Please consider that allowing file archives (eg. ZIP) or binary executable (eg. EXE) may result in a <strong>dangerous security issue</strong> and must be avoided in any cases.</p>"
          mime_types: "Allowed MIME types"
          new_mime_type: "New MIME type"
-          new_type_info: "Specify a new MIME type to allow these files to be uploaded. Please use the test input to determine the MIME type of a file."
+          new_type_info_html: "<p>Specify a new MIME type to allow these files to be uploaded.</p><p>Please use the test input to determine the MIME type of a file. Please consider that allowing file archives (eg. application/zip) or binary executable (eg. application/exe) may result in a <strong>dangerous security issue</strong> and must be avoided in any cases.</p>"
          test_file: "Test a file"
          set_a_file: "Select a file"
          file_is_TYPE: "MIME type of this file is {TYPE}"
--- a/config/locales/app.admin.fr.yml
+++ b/config/locales/app.admin.fr.yml
@ -144,15 +144,15 @@ fr:
          disqus: "Disqus"
          disqus_info: "Si vous voulez permettre à vos membres et visiteurs de commenter les projets, vous pouvez activer les forums Disqus en définissant le paramètre suivant. Rendez-vous sur <a href='https://help.disqus.com/customer/portal/articles/466208-what-s-a-shortname-' target='_blank'>le site web de Disqus</a> pour plus d'informations."
          shortname: "Nom court"
-          cad_files: "Fichier CAO"
+          cad_files: "Fichiers CAO"
          validation: "Validation"
          validation_info: "Les utilisateurs peuvent téléverser des fichiers de CAO (Conception Assistée par Ordinateur) avec la documentation de leurs projets. Vous pouvez spécifier quels types de fichiers sont autorisés. Utilisez le champ de test ci-dessous pour déterminer le type MIME d'un fichier."
          extensions: "Extensions autorisées"
          new_extension: "Nouvelle extension"
-          new_info: "Spécifiez une nouvelle extension de fichier pour autoriser ces fichiers à être téléversés."
+          new_ext_info_html: "<p>Spécifiez une nouvelle extension de fichier pour autoriser ces fichiers à être téléversés.</p><p>Veuillez noter que l'autorisation d'archives de fichiers (ex: ZIP) ou d'exécutables binaires (ex: EXE) peut entraîner un vrai <strong>problème de sécurité</strong> et doit être évitée dans tous les cas.</p>"
          mime_types: "Types MIME autorisés"
          new_mime_type: "Nouveau type MIME"
-          new_type_info: "Spécifiez un nouveau type MIME pour autoriser ces fichiers à être téléversés. Veuillez utiliser le champ de test pour déterminer le type MIME d'un fichier."
+          new_type_info_html: "<p>Spécifiez un nouveau type MIME pour autoriser ces fichiers à être téléversés.</p><p>Veuillez utiliser le champ de test pour déterminer le type MIME d'un fichier. Veuillez noter que l'autorisation d'archives de fichiers (ex: application/zip) ou d'exécutables binaires (ex: application/exe) peut entraîner un vrai <strong>problème de sécurité</strong> et doit être évitée dans tous les cas.</p>"
          test_file: "Tester un fichier"
          set_a_file: "Sélectionner un fichier"
          file_is_TYPE: "Le type MIME de ce fichier est {TYPE}"
--- a/doc/environment.md
+++ b/doc/environment.md
@ -125,22 +125,6 @@ The variable `DEFAULT_HOST` should be your domain name (eg. fabmanager.example.c

 This parameter configures the logs verbosity.
 Available log levels can be found [here](http://guides.rubyonrails.org/debugging_rails_applications.html#log-levels).
-<a name="ALLOWED_EXTENSIONS"></a>
-
-    ALLOWED_EXTENSIONS
-
-Exhaustive list of file's extensions available for public upload as project's CAO attachements.
-Each item in the list must be separated from the others by a space char.
-You will probably want to check that this list match the `ALLOWED_MIME_TYPES` values below.
-Please consider that allowing file archives (eg. ZIP) or binary executable (eg. EXE) may result in a **dangerous** security issue and must be avoided in any cases.
-<a name="ALLOWED_MIME_TYPES"></a>
-
-    ALLOWED_MIME_TYPES
-
-Exhaustive list of file's mime-types available for public upload as project's CAO attachements.
-Each item in the list must be separated from the others by a space char.
-You will probably want to check that this list match the `ALLOWED_EXTENSIONS` values above.
-Please consider that allowing file archives (eg. application/zip) or binary executable (eg. application/exe) may result in a **dangerous** security issue and must be avoided in any cases.
 <a name="MAX_IMAGE_SIZE"></a>

    MAX_IMAGE_SIZE
--- a/env.example
+++ b/env.example
@ -67,9 +67,6 @@ LOG_LEVEL=debug
 DISK_SPACE_MB_ALERT=100
 SUPERADMIN_EMAIL=admin@sleede.com

-ALLOWED_EXTENSIONS=pdf ai eps cad math svg stl dxf dwg obj step iges igs 3dm 3dmf doc docx png ino scad fcad skp sldprt sldasm slddrw slddrt tex latex ps fcstd fcstd1
-ALLOWED_MIME_TYPES=application/pdf application/postscript application/illustrator image/x-eps image/svg+xml application/sla application/dxf application/acad application/dwg application/octet-stream application/step application/iges model/iges x-world/x-3dmf application/vnd.openxmlformats-officedocument.wordprocessingml.document image/png text/x-arduino text/plain application/scad application/vnd.sketchup.skp application/x-koan application/vnd-koan koan/x-skm application/vnd.koan application/x-tex application/x-latex application/x-extension-fcstd
-
 # 5242880 = 5 megabytes
 MAX_IMPORT_SIZE=5242880
 # 10485760 = 10 megabytes
--- a/setup/env.example
+++ b/setup/env.example
@ -57,10 +57,6 @@ DISK_SPACE_MB_ALERT='100'
 SUPERADMIN_EMAIL=
 ALLOW_INSECURE_HTTP=false

-
-ALLOWED_EXTENSIONS=pdf ai eps cad math svg stl dxf dwg obj step iges igs 3dm 3dmf doc docx png ino scad fcad skp sldprt sldasm slddrw slddrt tex latex ps fcstd fcstd1
-ALLOWED_MIME_TYPES=application/pdf application/postscript application/illustrator image/x-eps image/svg+xml application/sla application/dxf application/acad application/dwg application/octet-stream application/step application/iges model/iges x-world/x-3dmf application/ application/vnd.openxmlformats-officedocument.wordprocessingml.document image/png text/x-arduino text/plain application/scad application/vnd.sketchup.skp application/x-koan application/vnd-koan koan/x-skm application/vnd.koan application/x-tex application/x-latex application/x-extension-fcstd
-
 # 5242880 = 5 megabytes
 MAX_IMPORT_SIZE='5242880'
 # 10485760 = 10 megabytes
--- a/setup/setup.sh
+++ b/setup/setup.sh
@ -237,7 +237,7 @@ configure_env_file()
  variables=(STRIPE_API_KEY STRIPE_PUBLISHABLE_KEY STRIPE_CURRENCY INVOICE_PREFIX FABLAB_WITHOUT_ONLINE_PAYMENT FABLAB_WITHOUT_WALLET \
   USER_CONFIRMATION_NEEDED_TO_SIGN_IN DEFAULT_HOST DEFAULT_PROTOCOL DELIVERY_METHOD SMTP_ADDRESS SMTP_PORT SMTP_USER_NAME SMTP_PASSWORD SMTP_AUTHENTICATION \
   SMTP_ENABLE_STARTTLS_AUTO SMTP_OPENSSL_VERIFY_MODE SMTP_TLS \
-   LOG_LEVEL ALLOWED_EXTENSIONS ALLOWED_MIME_TYPES MAX_IMAGE_SIZE MAX_CAO_SIZE MAX_IMPORT_SIZE DISK_SPACE_MB_ALERT \
+   LOG_LEVEL MAX_IMAGE_SIZE MAX_CAO_SIZE MAX_IMPORT_SIZE DISK_SPACE_MB_ALERT \
   SUPERADMIN_EMAIL APP_LOCALE RAILS_LOCALE MOMENT_LOCALE SUMMERNOTE_LOCALE ANGULAR_LOCALE FULLCALENDAR_LOCALE ELASTICSEARCH_LANGUAGE_ANALYZER TIME_ZONE \
   WEEK_STARTING_DAY D3_DATE_FORMAT UIB_DATE_FORMAT EXCEL_DATE_FORMAT OPENLAB_APP_ID OPENLAB_APP_SECRET OPENLAB_DEFAULT)
  for variable in "${variables[@]}"; do