mirror of https://github.com/wekan/wekan
The Open Source kanban (built with Meteor). Keep variable/table/field names camelCase. For translations, only add Pull Request changes to wekan/i18n/en.i18n.json , other translations are done at https://transifex.com/wekan/wekan only.
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 lines
2.4 KiB
79 lines
2.4 KiB
Attachments = new FS.Collection('attachments', {
|
|
stores: [
|
|
|
|
// XXX Add a new store for cover thumbnails so we don't load big images in
|
|
// the general board view
|
|
new FS.Store.GridFS('attachments')
|
|
]
|
|
});
|
|
|
|
if (Meteor.isServer) {
|
|
Attachments.allow({
|
|
insert: function(userId, doc) {
|
|
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
|
|
},
|
|
update: function(userId, doc) {
|
|
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
|
|
},
|
|
remove: function(userId, doc) {
|
|
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
|
|
},
|
|
// We authorize the attachment download either:
|
|
// - if the board is public, everyone (even unconnected) can download it
|
|
// - if the board is private, only board members can download it
|
|
//
|
|
// XXX We have a bug with the `userId` verification:
|
|
//
|
|
// https://github.com/CollectionFS/Meteor-CollectionFS/issues/449
|
|
//
|
|
download: function(userId, doc) {
|
|
var query = {
|
|
$or: [
|
|
{ 'members.userId': userId },
|
|
{ permission: 'public' }
|
|
]
|
|
};
|
|
return !! Boards.findOne(doc.boardId, query);
|
|
},
|
|
|
|
fetch: ['boardId']
|
|
});
|
|
}
|
|
|
|
// XXX Enforce a schema for the Attachments CollectionFS
|
|
|
|
Attachments.files.before.insert(function(userId, doc) {
|
|
var file = new FS.File(doc);
|
|
doc.userId = userId;
|
|
|
|
// If the uploaded document is not an image we need to enforce browser
|
|
// download instead of execution. This is particularly important for HTML
|
|
// files that the browser will just execute if we don't serve them with the
|
|
// appropriate `application/octet-stream` MIME header which can lead to user
|
|
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
|
|
// See https://github.com/libreboard/libreboard/issues/99
|
|
// XXX Should we use `beforeWrite` option of CollectionFS instead of
|
|
// collection-hooks?
|
|
if (! file.isImage()) {
|
|
file.original.type = 'application/octet-stream';
|
|
}
|
|
});
|
|
|
|
if (Meteor.isServer) {
|
|
Attachments.files.after.insert(function(userId, doc) {
|
|
Activities.insert({
|
|
type: 'card',
|
|
activityType: 'addAttachment',
|
|
attachmentId: doc._id,
|
|
boardId: doc.boardId,
|
|
cardId: doc.cardId,
|
|
userId: userId
|
|
});
|
|
});
|
|
|
|
Attachments.files.after.remove(function(userId, doc) {
|
|
Activities.remove({
|
|
attachmentId: doc._id
|
|
});
|
|
});
|
|
}
|
|
|