wekan/models/attachments.js

Attachments = new FS.Collection('attachments', {
  stores: [

    // XXX Add a new store for cover thumbnails so we don't load big images in
    // the general board view
    new FS.Store.GridFS('attachments', {
      // If the uploaded document is not an image we need to enforce browser
      // download instead of execution. This is particularly important for HTML
      // files that the browser will just execute if we don't serve them with the
      // appropriate `application/octet-stream` MIME header which can lead to user
      // data leaks. I imagine other formats (like PDF) can also be attack vectors.
      // See https://github.com/wekan/wekan/issues/99
      // XXX Should we use `beforeWrite` option of CollectionFS instead of
      // collection-hooks?
      // We should use `beforeWrite`.
      beforeWrite: (fileObj) => {
        if (!fileObj.isImage()) {
          return {
            type: 'application/octet-stream',
          };
        }
        return {};
      },
    }),
  ],
});


if (Meteor.isServer) {
  Meteor.startup(() => {
    Attachments.files._ensureIndex({ cardId: 1 });
  });

  Attachments.allow({
    insert(userId, doc) {
      return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    },
    update(userId, doc) {
      return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    },
    remove(userId, doc) {
      return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
    },
    // We authorize the attachment download either:
    // - if the board is public, everyone (even unconnected) can download it
    // - if the board is private, only board members can download it
    download(userId, doc) {
      const board = Boards.findOne(doc.boardId);
      if (board.isPublic()) {
        return true;
      } else {
        return board.hasMember(userId);
      }
    },

    fetch: ['boardId'],
  });
}

// XXX Enforce a schema for the Attachments CollectionFS

if (Meteor.isServer) {
  Attachments.files.after.insert((userId, doc) => {
    // If the attachment doesn't have a source field
    // or its source is different than import
    if (!doc.source || doc.source !== 'import') {
      // Add activity about adding the attachment
      Activities.insert({
        userId,
        type: 'card',
        activityType: 'addAttachment',
        attachmentId: doc._id,
        boardId: doc.boardId,
        cardId: doc.cardId,
        listId: doc.listId,
        swimlaneId: doc.swimlaneId,
      });
    } else {
      // Don't add activity about adding the attachment as the activity
      // be imported and delete source field
      Attachments.update({
        _id: doc._id,
      }, {
        $unset: {
          source: '',
        },
      });
    }
  });

  Attachments.files.before.remove((userId, doc) => {
    Activities.insert({
      userId,
      type: 'card',
      activityType: 'deleteAttachment',
      attachmentId: doc._id,
      boardId: doc.boardId,
      cardId: doc.cardId,
      listId: doc.listId,
      swimlaneId: doc.swimlaneId,
    });
  });

  Attachments.files.after.remove((userId, doc) => {
    Activities.remove({
      attachmentId: doc._id,
    });
  });
}
Fix lint errors back to eslint requirements. 7 years ago			`Attachments = new FS.Collection('attachments', {`
			`stores: [`
Fix lint errors. Update changelog. 7 years ago
Fix lint errors back to eslint requirements. 7 years ago			`// XXX Add a new store for cover thumbnails so we don't load big images in`
			`// the general board view`
			`new FS.Store.GridFS('attachments', {`
			`// If the uploaded document is not an image we need to enforce browser`
			`// download instead of execution. This is particularly important for HTML`
			`// files that the browser will just execute if we don't serve them with the`
			// appropriate `application/octet-stream` MIME header which can lead to user
			`// data leaks. I imagine other formats (like PDF) can also be attack vectors.`
			`// See https://github.com/wekan/wekan/issues/99`
			// XXX Should we use `beforeWrite` option of CollectionFS instead of
			`// collection-hooks?`
			// We should use `beforeWrite`.
			`beforeWrite: (fileObj) => {`
			`if (!fileObj.isImage()) {`
			`return {`
			`type: 'application/octet-stream',`
			`};`
use beforeWrite method of CollectionFS instead of collection-hooks 8 years ago			`}`
Fix lint errors back to eslint requirements. 7 years ago			`return {};`
use beforeWrite method of CollectionFS instead of collection-hooks 8 years ago			`},`
Fix lint errors back to eslint requirements. 7 years ago			`}),`
			`],`
			`});`
Renaissance _,,ad8888888888bba,_ ,ad88888I888888888888888ba, ,88888888I88888888888888888888a, ,d888888888I8888888888888888888888b, d88888PP"""" ""YY88888888888888888888b, ,d88"'__,,--------,,,,.;ZZZY8888888888888, ,8IIl'" ;;l"ZZZIII8888888888, ,I88l;' ;lZZZZZ888III8888888, ,II88Zl;. ;llZZZZZ888888I888888, ,II888Zl;. .;;;;;lllZZZ888888I8888b ,II8888Z;; `;;;;;''llZZ8888888I8888, II88888Z;' .;lZZZ8888888I888b II88888Z; _,aaa, .,aaaaa,__.l;llZZZ88888888I888 II88888IZZZZZZZZZ, .ZZZZZZZZZZZZZZ;llZZ88888888I888, II88888IZZ<'(@@>Z\| \|ZZZ<'(@@>ZZZZ;;llZZ888888888I88I ,II88888; `""" ;\| \|ZZ; `""" ;;llZ8888888888I888 II888888l `;; .;llZZ8888888888I888, ,II888888Z; ;;; .;;llZZZ8888888888I888I III888888Zl; .., `;; ,;;lllZZZ88888888888I888 II88888888Z;;...;(_ _) ,;;;llZZZZ88888888888I888, II88888888Zl;;;;;' `--'Z;. .,;;;;llZZZZ88888888888I888b ]I888888888Z;;;;' ";llllll;..;;;lllZZZZ88888888888I8888, II888888888Zl.;;"Y88bd888P";;,..;lllZZZZZ88888888888I8888I II8888888888Zl;.; `"PPP";;;,..;lllZZZZZZZ88888888888I88888 II888888888888Zl;;. `;;;l;;;;lllZZZZZZZZW88888888888I88888 `II8888888888888Zl;. ,;;lllZZZZZZZZWMZ88888888888I88888 II8888888888888888ZbaalllZZZZZZZZZWWMZZZ8888888888I888888, `II88888888888888888b"WWZZZZZWWWMMZZZZZZI888888888I888888b `II88888888888888888;ZZMMMMMMZZZZZZZZllI888888888I8888888 `II8888888888888888 `;lZZZZZZZZZZZlllll888888888I8888888, II8888888888888888, `;lllZZZZllllll;;.Y88888888I8888888b, ,II8888888888888888b .;;lllllll;;;.;..88888888I88888888b, II888888888888888PZI;. .`;;;.;;;..; ...88888888I8888888888, II888888888888PZ;;';;. ;. .;. .;. .. Y8888888I88888888888b, ,II888888888PZ;;' `8888888I8888888888888b, II888888888' 888888I8888888888888888 ,II888888888 ,888888I8888888888888888 ,d88888888888 d888888I8888888888ZZZZZZ ,ad888888888888I 8888888I8888ZZZZZZZZZZZZ 888888888888888' 888888IZZZZZZZZZZZZZZZZZ 8888888888P'8P' Y888ZZZZZZZZZZZZZZZZZZZZ 888888888, " ,ZZZZZZZZZZZZZZZZZZZZZZZ 8888888888, ,ZZZZZZZZZZZZZZZZZZZZZZZZZZ 888888888888a, _ ,ZZZZZZZZZZZZZZZZZZZZ88888888 888888888888888ba,_d' ,ZZZZZZZZZZZZZZZZZ8888888888888 8888888888888888888888bbbaaa,,,______,ZZZZZZZZZZZZZZZ88888888888888888 88888888888888888888888888888888888ZZZZZZZZZZZZZZZ88888888888888888888 8888888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888 888888888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888888888 8888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888 88888888888888888888888888888ZZZZZZZZZZZZZZ888888888888888888888888888 8888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888 Normand 8 88888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888 Veilleux 8 8888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888888888 10 years ago
Meteor 1.6.0.1, Node 8.9.3, NPM 5.5.1, fibers 2.0.0 7 years ago
Fix lint errors back to eslint requirements. 7 years ago			`if (Meteor.isServer) {`
Performance Enhancements 6 years ago			`Meteor.startup(() => {`
			`Attachments.files._ensureIndex({ cardId: 1 });`
			`});`

Fix lint errors back to eslint requirements. 7 years ago			`Attachments.allow({`
			`insert(userId, doc) {`
			`return allowIsBoardMember(userId, Boards.findOne(doc.boardId));`
			`},`
			`update(userId, doc) {`
			`return allowIsBoardMember(userId, Boards.findOne(doc.boardId));`
			`},`
			`remove(userId, doc) {`
			`return allowIsBoardMember(userId, Boards.findOne(doc.boardId));`
			`},`
			`// We authorize the attachment download either:`
			`// - if the board is public, everyone (even unconnected) can download it`
			`// - if the board is private, only board members can download it`
			`download(userId, doc) {`
			`const board = Boards.findOne(doc.boardId);`
			`if (board.isPublic()) {`
			`return true;`
Fix files access bug 8 years ago			`} else {`
Fix lint errors back to eslint requirements. 7 years ago			`return board.hasMember(userId);`
Fix files access bug 8 years ago			`}`
Fix lint errors back to eslint requirements. 7 years ago			`},`

			`fetch: ['boardId'],`
			`});`
			`}`
Renaissance _,,ad8888888888bba,_ ,ad88888I888888888888888ba, ,88888888I88888888888888888888a, ,d888888888I8888888888888888888888b, d88888PP"""" ""YY88888888888888888888b, ,d88"'__,,--------,,,,.;ZZZY8888888888888, ,8IIl'" ;;l"ZZZIII8888888888, ,I88l;' ;lZZZZZ888III8888888, ,II88Zl;. ;llZZZZZ888888I888888, ,II888Zl;. .;;;;;lllZZZ888888I8888b ,II8888Z;; `;;;;;''llZZ8888888I8888, II88888Z;' .;lZZZ8888888I888b II88888Z; _,aaa, .,aaaaa,__.l;llZZZ88888888I888 II88888IZZZZZZZZZ, .ZZZZZZZZZZZZZZ;llZZ88888888I888, II88888IZZ<'(@@>Z\| \|ZZZ<'(@@>ZZZZ;;llZZ888888888I88I ,II88888; `""" ;\| \|ZZ; `""" ;;llZ8888888888I888 II888888l `;; .;llZZ8888888888I888, ,II888888Z; ;;; .;;llZZZ8888888888I888I III888888Zl; .., `;; ,;;lllZZZ88888888888I888 II88888888Z;;...;(_ _) ,;;;llZZZZ88888888888I888, II88888888Zl;;;;;' `--'Z;. .,;;;;llZZZZ88888888888I888b ]I888888888Z;;;;' ";llllll;..;;;lllZZZZ88888888888I8888, II888888888Zl.;;"Y88bd888P";;,..;lllZZZZZ88888888888I8888I II8888888888Zl;.; `"PPP";;;,..;lllZZZZZZZ88888888888I88888 II888888888888Zl;;. `;;;l;;;;lllZZZZZZZZW88888888888I88888 `II8888888888888Zl;. ,;;lllZZZZZZZZWMZ88888888888I88888 II8888888888888888ZbaalllZZZZZZZZZWWMZZZ8888888888I888888, `II88888888888888888b"WWZZZZZWWWMMZZZZZZI888888888I888888b `II88888888888888888;ZZMMMMMMZZZZZZZZllI888888888I8888888 `II8888888888888888 `;lZZZZZZZZZZZlllll888888888I8888888, II8888888888888888, `;lllZZZZllllll;;.Y88888888I8888888b, ,II8888888888888888b .;;lllllll;;;.;..88888888I88888888b, II888888888888888PZI;. .`;;;.;;;..; ...88888888I8888888888, II888888888888PZ;;';;. ;. .;. .;. .. Y8888888I88888888888b, ,II888888888PZ;;' `8888888I8888888888888b, II888888888' 888888I8888888888888888 ,II888888888 ,888888I8888888888888888 ,d88888888888 d888888I8888888888ZZZZZZ ,ad888888888888I 8888888I8888ZZZZZZZZZZZZ 888888888888888' 888888IZZZZZZZZZZZZZZZZZ 8888888888P'8P' Y888ZZZZZZZZZZZZZZZZZZZZ 888888888, " ,ZZZZZZZZZZZZZZZZZZZZZZZ 8888888888, ,ZZZZZZZZZZZZZZZZZZZZZZZZZZ 888888888888a, _ ,ZZZZZZZZZZZZZZZZZZZZ88888888 888888888888888ba,_d' ,ZZZZZZZZZZZZZZZZZ8888888888888 8888888888888888888888bbbaaa,,,______,ZZZZZZZZZZZZZZZ88888888888888888 88888888888888888888888888888888888ZZZZZZZZZZZZZZZ88888888888888888888 8888888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888 888888888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888888888 8888888888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888 88888888888888888888888888888ZZZZZZZZZZZZZZ888888888888888888888888888 8888888888888888888888888888ZZZZZZZZZZZZZZ88888888888888888 Normand 8 88888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888 Veilleux 8 8888888888888888888888888ZZZZZZZZZZZZZZ8888888888888888888888888888888 10 years ago
Fix lint errors back to eslint requirements. 7 years ago			`// XXX Enforce a schema for the Attachments CollectionFS`

			`if (Meteor.isServer) {`
			`Attachments.files.after.insert((userId, doc) => {`
			`// If the attachment doesn't have a source field`
			`// or its source is different than import`
			`if (!doc.source \|\| doc.source !== 'import') {`
			`// Add activity about adding the attachment`
			`Activities.insert({`
			`userId,`
			`type: 'card',`
			`activityType: 'addAttachment',`
Add source field to imported attachments We use this field to prevent adding attachments' related activities automatically only. Then this field will be removed. 8 years ago			`attachmentId: doc._id,`
Fix lint errors back to eslint requirements. 7 years ago			`boardId: doc.boardId,`
			`cardId: doc.cardId,`
Add variables for activity notifications Fixes #2285 6 years ago			`listId: doc.listId,`
			`swimlaneId: doc.swimlaneId,`
Add source field to imported attachments We use this field to prevent adding attachments' related activities automatically only. Then this field will be removed. 8 years ago			`});`
Fix lint errors back to eslint requirements. 7 years ago			`} else {`
			`// Don't add activity about adding the attachment as the activity`
			`// be imported and delete source field`
			`Attachments.update({`
			`_id: doc._id,`
			`}, {`
			`$unset: {`
			`source: '',`
			`},`
			`});`
			`}`
			`});`

Show attachment name in Outgoing Webhook when attachment is removed from card. Thanks to xet7 ! Related #2285 6 years ago			`Attachments.files.before.remove((userId, doc) => {`
Remove attachment activity 7 years ago			`Activities.insert({`
Fix lint errors. 7 years ago			`userId,`
			`type: 'card',`
			`activityType: 'deleteAttachment',`
Show attachment name in Outgoing Webhook when attachment is removed from card. Thanks to xet7 ! Related #2285 6 years ago			`attachmentId: doc._id,`
Fix lint errors. 7 years ago			`boardId: doc.boardId,`
			`cardId: doc.cardId,`
Add variables for activity notifications Fixes #2285 6 years ago			`listId: doc.listId,`
			`swimlaneId: doc.swimlaneId,`
Fix lint errors. 7 years ago			`});`
Fix lint errors back to eslint requirements. 7 years ago			`});`
Show attachment name in Outgoing Webhook when attachment is removed from card. Thanks to xet7 ! Related #2285 6 years ago
			`Attachments.files.after.remove((userId, doc) => {`
			`Activities.remove({`
			`attachmentId: doc._id,`
			`});`
			`});`
Fix lint errors back to eslint requirements. 7 years ago			`}`