From baf9ce90a9ff7cb71ea35a062920bb20b5e386b6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sen=C3=A9n=20Rodero=20Rodr=C3=ADguez?=
 <senenrodero@gmail.com>
Date: Tue, 19 Sep 2017 13:05:32 +0200
Subject: [PATCH] Obfuscate documentable and imageable file names.

---
 app/models/document.rb                      | 4 +++-
 app/models/image.rb                         | 5 +++--
 spec/shared/features/documentable.rb        | 2 +-
 spec/shared/features/imageable.rb           | 2 +-
 spec/shared/features/nested_documentable.rb | 2 +-
 spec/shared/features/nested_imageable.rb    | 2 +-
 6 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/app/models/document.rb b/app/models/document.rb
index 70713544f..a04313e50 100644
--- a/app/models/document.rb
+++ b/app/models/document.rb
@@ -1,7 +1,9 @@
 class Document < ActiveRecord::Base
   include DocumentsHelper
   include DocumentablesHelper
-  has_attached_file :attachment, path: ":rails_root/public/system/:class/:prefix/:style/:filename"
+  has_attached_file :attachment, path: ":rails_root/public/system/:class/:prefix/:style/:hash.:extension",
+                                 url: "/system/:class/:prefix/:style/:hash.:extension",
+                                 hash_secret: Rails.application.secrets.secret_key_base
   attr_accessor :cached_attachment
 
   belongs_to :user
diff --git a/app/models/image.rb b/app/models/image.rb
index c331a1886..201ec571d 100644
--- a/app/models/image.rb
+++ b/app/models/image.rb
@@ -8,8 +8,9 @@ class Image < ActiveRecord::Base
   ACCEPTED_CONTENT_TYPE = %w(image/jpeg image/jpg)
 
   has_attached_file :attachment, styles: { large: "x#{MIN_SIZE}", medium: "300x300#", thumb: "140x245#" },
-                                 path: ":rails_root/public/system/:class/:prefix/:style/:filename",
-                                 url: "/system/:class/:prefix/:style/:filename"
+                                 path: ":rails_root/public/system/:class/:prefix/:style/:hash.:extension",
+                                 url: "/system/:class/:prefix/:style/:hash.:extension",
+                                 hash_secret: Rails.application.secrets.secret_key_base
   attr_accessor :cached_attachment
 
   belongs_to :user
diff --git a/spec/shared/features/documentable.rb b/spec/shared/features/documentable.rb
index f789ae67e..13f3b3141 100644
--- a/spec/shared/features/documentable.rb
+++ b/spec/shared/features/documentable.rb
@@ -251,7 +251,7 @@ shared_examples "documentable" do |documentable_factory_name, documentable_path,
 
       attach_document("spec/fixtures/files/empty.pdf", true)
 
-      expect(page).to have_css("input[name='document[cached_attachment]'][value$='empty.pdf']", visible: false)
+      expect(page).to have_css("input[name='document[cached_attachment]'][value$='.pdf']", visible: false)
     end
 
     scenario "Should not show 'Choose document' button after valid upload", :js do
diff --git a/spec/shared/features/imageable.rb b/spec/shared/features/imageable.rb
index c4f3156bf..3030869d3 100644
--- a/spec/shared/features/imageable.rb
+++ b/spec/shared/features/imageable.rb
@@ -211,7 +211,7 @@ shared_examples "imageable" do |imageable_factory_name, imageable_path, imageabl
 
       attach_image("spec/fixtures/files/clippy.jpg", true)
 
-      expect(page).to have_css("input[name='image[cached_attachment]'][value$='clippy.jpg']", visible: false)
+      expect(page).to have_css("input[name='image[cached_attachment]'][value$='.jpg']", visible: false)
     end
 
     scenario "Should not update image cached_attachment field after invalid file upload", :js do
diff --git a/spec/shared/features/nested_documentable.rb b/spec/shared/features/nested_documentable.rb
index 3f22d4a62..c8b9adc5f 100644
--- a/spec/shared/features/nested_documentable.rb
+++ b/spec/shared/features/nested_documentable.rb
@@ -131,7 +131,7 @@ shared_examples "nested documentable" do |documentable_factory_name, path, docum
 
       documentable_attach_new_file(documentable_factory_name, 0, "spec/fixtures/files/empty.pdf")
 
-      expect(page).to have_css("input[name='#{documentable_factory_name}[documents_attributes][0][cached_attachment]'][value$='empty.pdf']", visible: false)
+      expect(page).to have_css("input[name='#{documentable_factory_name}[documents_attributes][0][cached_attachment]'][value$='.pdf']", visible: false)
     end
 
     scenario "Should not update document cached_attachment field after unvalid file upload", :js do
diff --git a/spec/shared/features/nested_imageable.rb b/spec/shared/features/nested_imageable.rb
index 410b614af..ebbe4f9a2 100644
--- a/spec/shared/features/nested_imageable.rb
+++ b/spec/shared/features/nested_imageable.rb
@@ -85,7 +85,7 @@ shared_examples "nested imageable" do |imageable_factory_name, path, imageable_p
 
       imageable_attach_new_file(imageable_factory_name, "spec/fixtures/files/clippy.jpg")
 
-      expect(page).to have_selector("input[name='#{imageable_factory_name}[image_attributes]cached_attachment'][value$='clippy.jpg']", visible: false)
+      expect(page).to have_selector("input[name='#{imageable_factory_name}[image_attributes]cached_attachment'][value$='.jpg']", visible: false)
     end
 
     scenario "Should not update image cached_attachment field after unvalid file upload", :js do