From 00ca490259de684f4240de4f61728b8eaefbb13e Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@gitlab.com>
Date: Fri, 20 Feb 2015 13:13:48 +0100
Subject: Use controllers to serve uploads, with XSS prevention and access
 control.

---
 app/controllers/uploads_controller.rb | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)
 create mode 100644 app/controllers/uploads_controller.rb

(limited to 'app/controllers/uploads_controller.rb')

diff --git a/app/controllers/uploads_controller.rb b/app/controllers/uploads_controller.rb
new file mode 100644
index 00000000000..d5877977258
--- /dev/null
+++ b/app/controllers/uploads_controller.rb
@@ -0,0 +1,17 @@
+class UploadsController < ApplicationController
+  def show
+    model = params[:model].camelize.constantize.find(params[:id])
+    uploader = model.send(params[:mounted_as])
+
+    if uploader.file_storage?
+      if !model.respond_to?(:project) || can?(current_user, :read_project, model.project)
+        disposition = uploader.image? ? 'inline' : 'attachment'
+        send_file uploader.file.path, disposition: disposition
+      else
+        not_found!
+      end
+    else
+      redirect_to uploader.url
+    end
+  end
+end
-- 
cgit v1.2.1