consul/grecia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
be9c272ce490e65e989decb7958c5270f3017f24
grecia/spec/factories/files.rb
Javi Martín be9c272ce4 Remove default Active Storage direct upload action 
We're already using a custom controller to handle direct uploads.

Besides, as mentioned by one of Active Storage co-authors [1], the
Active Storage DirectUploadsController doesn't provide any
authentication or validation at all, meaning anyone could create blobs
in our database by posting to `/rails/active_storage/direct_uploads`.
The response there could be then used to upload any file (again, without
validation) to `/rails/active_storage/disk/`.

For now, we're monkey-patching the controllers in order to send
unauthorized responses, since we aren't using these routes. If we ever
enable direct uploads with Active Storage, we'll have to add some sort
of authentication.

Similar upload solutions like CKEditor don't have this issue since their
controllers inherit from `ApplicationController` (which includes
authorization rules), while Active Storage controllers inherit from
`ActionController::Base`.

[1] https://discuss.rubyonrails.org/t/activestorage-direct-uploads-safe-by-default-how-to-make-it-safe/74863/2
2021-09-24 13:39:15 +02:00

65 lines
1.5 KiB
Ruby
Raw Blame History

FactoryBot.define do
factory :image do
attachment { File.new("spec/fixtures/files/clippy.jpg") }
title { "Lorem ipsum dolor sit amet" }
association :user, factory: :user
trait :proposal_image do
association :imageable, factory: :proposal
end
trait :budget_investment_image do
association :imageable, factory: :budget_investment
end
end
factory :document do
sequence(:title) { |n| "Document title #{n}" }
association :user, factory: :user
attachment { File.new("spec/fixtures/files/empty.pdf") }
trait :proposal_document do
association :documentable, factory: :proposal
end
trait :budget_investment_document do
association :documentable, factory: :budget_investment
end
trait :poll_question_document do
association :documentable, factory: :poll_question
end
trait :admin do
admin { true }
end
end
factory :direct_upload do
user
trait :proposal do
resource_type { "Proposal" }
end
trait :budget_investment do
resource_type { "Budget::Investment" }
end
trait :documents do
resource_relation { "documents" }
attachment { File.new("spec/fixtures/files/empty.pdf") }
end
trait :image do
resource_relation { "image" }
attachment { File.new("spec/fixtures/files/clippy.jpg") }
end
initialize_with { new(attributes) }
end
factory :active_storage_blob, class: "ActiveStorage::Blob" do
filename { "sample.pdf" }
byte_size { 3000 }
checksum { SecureRandom.hex(32) }
end
end
Reference in New Issue View Git Blame Copy Permalink