mirror of https://github.com/wekan/wekan
The Open Source kanban (built with Meteor). Keep variable/table/field names camelCase. For translations, only add Pull Request changes to wekan/i18n/en.i18n.json , other translations are done at https://transifex.com/wekan/wekan only.
You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
263 lines
7.2 KiB
263 lines
7.2 KiB
const localFSStore = process.env.ATTACHMENTS_STORE_PATH;
|
|
const storeName = 'attachments';
|
|
const defaultStoreOptions = {
|
|
beforeWrite: fileObj => {
|
|
if (!fileObj.isImage()) {
|
|
return {
|
|
type: 'application/octet-stream',
|
|
};
|
|
}
|
|
return {};
|
|
},
|
|
};
|
|
let store;
|
|
if (localFSStore) {
|
|
// have to reinvent methods from FS.Store.GridFS and FS.Store.FileSystem
|
|
const fs = Npm.require('fs');
|
|
const path = Npm.require('path');
|
|
const mongodb = Npm.require('mongodb');
|
|
const Grid = Npm.require('gridfs-stream');
|
|
// calulate the absolute path here, because FS.Store.FileSystem didn't expose the aboslutepath or FS.Store didn't expose api calls :(
|
|
let pathname = localFSStore;
|
|
/*eslint camelcase: ["error", {allow: ["__meteor_bootstrap__"]}] */
|
|
|
|
if (!pathname && __meteor_bootstrap__ && __meteor_bootstrap__.serverDir) {
|
|
pathname = path.join(
|
|
__meteor_bootstrap__.serverDir,
|
|
`../../../cfs/files/${storeName}`,
|
|
);
|
|
}
|
|
|
|
if (!pathname)
|
|
throw new Error('FS.Store.FileSystem unable to determine path');
|
|
|
|
// Check if we have '~/foo/bar'
|
|
if (pathname.split(path.sep)[0] === '~') {
|
|
const homepath =
|
|
process.env.HOME || process.env.HOMEPATH || process.env.USERPROFILE;
|
|
if (homepath) {
|
|
pathname = pathname.replace('~', homepath);
|
|
} else {
|
|
throw new Error('FS.Store.FileSystem unable to resolve "~" in path');
|
|
}
|
|
}
|
|
|
|
// Set absolute path
|
|
const absolutePath = path.resolve(pathname);
|
|
|
|
const _FStore = new FS.Store.FileSystem(storeName, {
|
|
path: localFSStore,
|
|
...defaultStoreOptions,
|
|
});
|
|
const GStore = {
|
|
fileKey(fileObj) {
|
|
const key = {
|
|
_id: null,
|
|
filename: null,
|
|
};
|
|
|
|
// If we're passed a fileObj, we retrieve the _id and filename from it.
|
|
if (fileObj) {
|
|
const info = fileObj._getInfo(storeName, {
|
|
updateFileRecordFirst: false,
|
|
});
|
|
key._id = info.key || null;
|
|
key.filename =
|
|
info.name ||
|
|
fileObj.name({ updateFileRecordFirst: false }) ||
|
|
`${fileObj.collectionName}-${fileObj._id}`;
|
|
}
|
|
|
|
// If key._id is null at this point, createWriteStream will let GridFS generate a new ID
|
|
return key;
|
|
},
|
|
db: undefined,
|
|
mongoOptions: { useNewUrlParser: true },
|
|
mongoUrl: process.env.MONGO_URL,
|
|
init() {
|
|
this._init(err => {
|
|
this.inited = !err;
|
|
});
|
|
},
|
|
_init(callback) {
|
|
const self = this;
|
|
mongodb.MongoClient.connect(self.mongoUrl, self.mongoOptions, function(
|
|
err,
|
|
db,
|
|
) {
|
|
if (err) {
|
|
return callback(err);
|
|
}
|
|
self.db = db;
|
|
return callback(null);
|
|
});
|
|
return;
|
|
},
|
|
createReadStream(fileKey, options) {
|
|
const self = this;
|
|
if (!self.inited) {
|
|
self.init();
|
|
return undefined;
|
|
}
|
|
options = options || {};
|
|
|
|
// Init GridFS
|
|
const gfs = new Grid(self.db, mongodb);
|
|
|
|
// Set the default streamning settings
|
|
const settings = {
|
|
_id: new mongodb.ObjectID(fileKey._id),
|
|
root: `cfs_gridfs.${storeName}`,
|
|
};
|
|
|
|
// Check if this should be a partial read
|
|
if (
|
|
typeof options.start !== 'undefined' &&
|
|
typeof options.end !== 'undefined'
|
|
) {
|
|
// Add partial info
|
|
settings.range = {
|
|
startPos: options.start,
|
|
endPos: options.end,
|
|
};
|
|
}
|
|
return gfs.createReadStream(settings);
|
|
},
|
|
};
|
|
GStore.init();
|
|
const CRS = 'createReadStream';
|
|
const _CRS = `_${CRS}`;
|
|
const FStore = _FStore._transform;
|
|
FStore[_CRS] = FStore[CRS].bind(FStore);
|
|
FStore[CRS] = function(fileObj, options) {
|
|
let stream;
|
|
try {
|
|
const localFile = path.join(
|
|
absolutePath,
|
|
FStore.storage.fileKey(fileObj),
|
|
);
|
|
const state = fs.statSync(localFile);
|
|
if (state) {
|
|
stream = FStore[_CRS](fileObj, options);
|
|
}
|
|
} catch (e) {
|
|
// file is not there, try GridFS ?
|
|
stream = undefined;
|
|
}
|
|
if (stream) return stream;
|
|
else {
|
|
try {
|
|
const stream = GStore[CRS](GStore.fileKey(fileObj), options);
|
|
return stream;
|
|
} catch (e) {
|
|
return undefined;
|
|
}
|
|
}
|
|
}.bind(FStore);
|
|
store = _FStore;
|
|
} else {
|
|
store = new FS.Store.GridFS(localFSStore ? `G${storeName}` : storeName, {
|
|
// XXX Add a new store for cover thumbnails so we don't load big images in
|
|
// the general board view
|
|
// If the uploaded document is not an image we need to enforce browser
|
|
// download instead of execution. This is particularly important for HTML
|
|
// files that the browser will just execute if we don't serve them with the
|
|
// appropriate `application/octet-stream` MIME header which can lead to user
|
|
// data leaks. I imagine other formats (like PDF) can also be attack vectors.
|
|
// See https://github.com/wekan/wekan/issues/99
|
|
// XXX Should we use `beforeWrite` option of CollectionFS instead of
|
|
// collection-hooks?
|
|
// We should use `beforeWrite`.
|
|
...defaultStoreOptions,
|
|
});
|
|
}
|
|
Attachments = new FS.Collection('attachments', {
|
|
stores: [store],
|
|
});
|
|
|
|
if (Meteor.isServer) {
|
|
Meteor.startup(() => {
|
|
Attachments.files._ensureIndex({ cardId: 1 });
|
|
});
|
|
|
|
Attachments.allow({
|
|
insert(userId, doc) {
|
|
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
|
|
},
|
|
update(userId, doc) {
|
|
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
|
|
},
|
|
remove(userId, doc) {
|
|
return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
|
|
},
|
|
// We authorize the attachment download either:
|
|
// - if the board is public, everyone (even unconnected) can download it
|
|
// - if the board is private, only board members can download it
|
|
download(userId, doc) {
|
|
const board = Boards.findOne(doc.boardId);
|
|
if (board.isPublic()) {
|
|
return true;
|
|
} else {
|
|
return board.hasMember(userId);
|
|
}
|
|
},
|
|
|
|
fetch: ['boardId'],
|
|
});
|
|
}
|
|
|
|
// XXX Enforce a schema for the Attachments CollectionFS
|
|
|
|
if (Meteor.isServer) {
|
|
Attachments.files.after.insert((userId, doc) => {
|
|
// If the attachment doesn't have a source field
|
|
// or its source is different than import
|
|
if (!doc.source || doc.source !== 'import') {
|
|
// Add activity about adding the attachment
|
|
Activities.insert({
|
|
userId,
|
|
type: 'card',
|
|
activityType: 'addAttachment',
|
|
attachmentId: doc._id,
|
|
boardId: doc.boardId,
|
|
cardId: doc.cardId,
|
|
listId: doc.listId,
|
|
swimlaneId: doc.swimlaneId,
|
|
});
|
|
} else {
|
|
// Don't add activity about adding the attachment as the activity
|
|
// be imported and delete source field
|
|
Attachments.update(
|
|
{
|
|
_id: doc._id,
|
|
},
|
|
{
|
|
$unset: {
|
|
source: '',
|
|
},
|
|
},
|
|
);
|
|
}
|
|
});
|
|
|
|
Attachments.files.before.remove((userId, doc) => {
|
|
Activities.insert({
|
|
userId,
|
|
type: 'card',
|
|
activityType: 'deleteAttachment',
|
|
attachmentId: doc._id,
|
|
boardId: doc.boardId,
|
|
cardId: doc.cardId,
|
|
listId: doc.listId,
|
|
swimlaneId: doc.swimlaneId,
|
|
});
|
|
});
|
|
|
|
Attachments.files.after.remove((userId, doc) => {
|
|
Activities.remove({
|
|
attachmentId: doc._id,
|
|
});
|
|
});
|
|
}
|
|
|
|
export default Attachments;
|
|
|