Class: UploadValidator

Inherits:

ActiveModel::Validator

• Object
• ActiveModel::Validator
• UploadValidator

Defined in:

lib/validators/upload_validator.rb

Instance Method Summary

• #authorized_attachment_extension(upload, extension) ⇒ Object
• #authorized_image_extension(upload, extension) ⇒ Object
• #changing_upload_security?(upload) ⇒ Boolean

  this should only be run on existing records, and covers cases of upload.update_secure_status being run outside of the creation flow, where some cases e.g.

• #is_authorized?(upload, extension) ⇒ Boolean
• #maximum_attachment_file_size(upload) ⇒ Object
• #maximum_image_file_size(upload) ⇒ Object
• #validate(upload) ⇒ Object

Instance Method Details

#authorized_attachment_extension(upload, extension) ⇒ Object

# File 'lib/validators/upload_validator.rb', line 64

def authorized_attachment_extension(upload, extension)
  extension_authorized?(upload, extension, authorized_attachments(upload))
end

#authorized_image_extension(upload, extension) ⇒ Object

# File 'lib/validators/upload_validator.rb', line 56

def authorized_image_extension(upload, extension)
  extension_authorized?(upload, extension, authorized_images(upload))
end

#changing_upload_security?(upload) ⇒ Boolean

this should only be run on existing records, and covers cases of upload.update_secure_status being run outside of the creation flow, where some cases e.g. have exemptions on the extension enforcement

Returns:

• (Boolean)

# File 'lib/validators/upload_validator.rb', line 45

def changing_upload_security?(upload)
  !upload.new_record? &&
    upload.changed_attributes.keys.all? do |attribute|
      %w[secure security_last_changed_at security_last_changed_reason].include?(attribute)
    end
end

#is_authorized?(upload, extension) ⇒ Boolean

Returns:

• (Boolean)

# File 'lib/validators/upload_validator.rb', line 52

def is_authorized?(upload, extension)
  extension_authorized?(upload, extension, authorized_extensions(upload))
end

#maximum_attachment_file_size(upload) ⇒ Object

# File 'lib/validators/upload_validator.rb', line 68

def maximum_attachment_file_size(upload)
  maximum_file_size(upload, "attachment")
end

#maximum_image_file_size(upload) ⇒ Object

# File 'lib/validators/upload_validator.rb', line 60

def maximum_image_file_size(upload)
  maximum_file_size(upload, "image")
end

#validate(upload) ⇒ Object

# File 'lib/validators/upload_validator.rb', line 6

def validate(upload)
  # staff can upload any file in PM
  if (upload.for_private_message && SiteSetting.allow_staff_to_upload_any_file_in_pm)
    return true if upload.user&.staff?
  end

  # check the attachment blocklist
  if upload.for_group_message && SiteSetting.allow_all_attachments_for_group_messages
    return upload.original_filename =~ SiteSetting.blocked_attachment_filenames_regex
  end

  extension = File.extname(upload.original_filename)[1..-1] || ""

  if upload.for_site_setting && upload.user&.staff? &&
       FileHelper.is_supported_image?(upload.original_filename)
    return true
  end

  if upload.for_gravatar && FileHelper.supported_gravatar_extensions.include?(extension)
    maximum_image_file_size(upload)
    return true
  end

  return true if changing_upload_security?(upload)

  if is_authorized?(upload, extension)
    if FileHelper.is_supported_image?(upload.original_filename)
      authorized_image_extension(upload, extension)
      maximum_image_file_size(upload)
    else
      authorized_attachment_extension(upload, extension)
      maximum_attachment_file_size(upload)
    end
  end
end