From d574657b779f2cce275b2788d49a4fb7c19d3258 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ra=C3=BAl=20Fuentes?= <raul.fuentes@m2c.es>
Date: Fri, 24 Aug 2018 15:11:54 +0200
Subject: [PATCH] Fixes for the review made by @javierm

this commit will be merged with the others when the chages
are accepted
---
 app/controllers/application_controller.rb           |  8 ++++++++
 app/controllers/ckeditor/pictures_controller.rb     |  8 +++++---
 app/models/abilities/common.rb                      |  3 +++
 app/models/abilities/everyone.rb                    |  4 +---
 app/models/ckeditor/attachment_file.rb              | 13 -------------
 app/models/ckeditor/picture.rb                      |  6 +++---
 config/initializers/ckeditor.rb                     |  2 ++
 db/migrate/20180813141443_create_ckeditor_assets.rb |  4 +++-
 db/schema.rb                                        |  1 +
 lib/wysiwyg_sanitizer.rb                            |  4 ++--
 10 files changed, 28 insertions(+), 25 deletions(-)
 delete mode 100644 app/models/ckeditor/attachment_file.rb

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e97b87cd3..06e0c79d8 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -27,8 +27,16 @@ class ApplicationController < ActionController::Base
   respond_to :html
   helper_method :current_budget
 
+  before_action :set_user_for_ckeditor_pictures
+
   private
 
+    def set_user_for_ckeditor_pictures
+      if request.path == '/ckeditor/pictures' && request.request_method == 'POST'
+        params['user_id'] = current_user.id
+      end
+    end
+
     def authenticate_http_basic
       authenticate_or_request_with_http_basic do |username, password|
         username == Rails.application.secrets.http_basic_username && password == Rails.application.secrets.http_basic_password
diff --git a/app/controllers/ckeditor/pictures_controller.rb b/app/controllers/ckeditor/pictures_controller.rb
index 1dded38f3..4cdb9f1ea 100644
--- a/app/controllers/ckeditor/pictures_controller.rb
+++ b/app/controllers/ckeditor/pictures_controller.rb
@@ -1,5 +1,7 @@
 class Ckeditor::PicturesController < Ckeditor::ApplicationController
+
   load_and_authorize_resource
+
   def index
     @pictures = Ckeditor.picture_adapter.find_all(ckeditor_pictures_scope)
     @pictures = Ckeditor::Paginatable.new(@pictures).page(params[:page])
@@ -10,7 +12,7 @@ class Ckeditor::PicturesController < Ckeditor::ApplicationController
   end
 
   def create
-    @picture = Ckeditor.picture_model.new
+    @picture = Ckeditor.picture_model.new(user_id: current_user.id)
     respond_with_asset(@picture)
   end
 
@@ -30,7 +32,7 @@ class Ckeditor::PicturesController < Ckeditor::ApplicationController
     end
 
     def authorize_resource
-      model = (@picture || Ckeditor.picture_model)
+      model = @picture || Ckeditor.picture_model
       @authorization_adapter.try(:authorize, params[:action], model)
     end
-end
\ No newline at end of file
+end
diff --git a/app/models/abilities/common.rb b/app/models/abilities/common.rb
index 7c84089b4..d1b2cdf94 100644
--- a/app/models/abilities/common.rb
+++ b/app/models/abilities/common.rb
@@ -5,6 +5,9 @@ module Abilities
     def initialize(user)
       merge Abilities::Everyone.new(user)
 
+      can :access, :ckeditor   # needed to access Ckeditor filebrowser
+      can [:access, :create, :destroy], Ckeditor::Picture, id: user.id
+
       can [:read, :update], User, id: user.id
 
       can :read, Debate
diff --git a/app/models/abilities/everyone.rb b/app/models/abilities/everyone.rb
index dcc430cdd..090823e5c 100644
--- a/app/models/abilities/everyone.rb
+++ b/app/models/abilities/everyone.rb
@@ -3,10 +3,8 @@ module Abilities
     include CanCan::Ability
 
     def initialize(user)
-      can :access, :ckeditor   # needed to access Ckeditor filebrowser
-      can [:access, :read, :create, :destroy], Ckeditor::Picture
-      can [:access, :read, :create, :destroy], Ckeditor::AttachmentFile
 
+      can :read, Ckeditor::Picture
       can [:read, :map], Debate
       can [:read, :map, :summary, :share], Proposal
       can :read, Comment
diff --git a/app/models/ckeditor/attachment_file.rb b/app/models/ckeditor/attachment_file.rb
deleted file mode 100644
index 8d0c2eec7..000000000
--- a/app/models/ckeditor/attachment_file.rb
+++ /dev/null
@@ -1,13 +0,0 @@
-class Ckeditor::AttachmentFile < Ckeditor::Asset
-  has_attached_file :data,
-                    url: '/ckeditor_assets/attachments/:id/:filename',
-                    path: ':rails_root/public/ckeditor_assets/attachments/:id/:filename'
-
-  validates_attachment_presence :data
-  validates_attachment_size :data, less_than: 100.megabytes
-  do_not_validate_attachment_file_type :data
-
-  def url_thumb
-    @url_thumb ||= Ckeditor::Utils.filethumb(filename)
-  end
-end
diff --git a/app/models/ckeditor/picture.rb b/app/models/ckeditor/picture.rb
index 445c2bbd9..9c05daabf 100644
--- a/app/models/ckeditor/picture.rb
+++ b/app/models/ckeditor/picture.rb
@@ -4,9 +4,9 @@ class Ckeditor::Picture < Ckeditor::Asset
                     path: ':rails_root/public/ckeditor_assets/pictures/:id/:style_:basename.:extension',
                     styles: { content: '800>', thumb: '118x100#' }
 
-  validates_attachment_presence :data
-  validates_attachment_size :data, less_than: 2.megabytes
-  validates_attachment_content_type :data, content_type: /\Aimage/
+  # validates_attachment_presence :data
+  # validates_attachment_size :data, less_than: 2.megabytes
+  # validates_attachment_content_type :data, content_type: /\Aimage/
 
   def url_content
     url(:content)
diff --git a/config/initializers/ckeditor.rb b/config/initializers/ckeditor.rb
index 8f80a4308..c0ee18dba 100644
--- a/config/initializers/ckeditor.rb
+++ b/config/initializers/ckeditor.rb
@@ -56,3 +56,5 @@ Ckeditor.setup do |config|
   # By default: "ckeditor/config.js"
   # config.js_config_url = 'ckeditor/config.js'
 end
+
+Ckeditor::PicturesController.send(:load_and_authorize_resource)
diff --git a/db/migrate/20180813141443_create_ckeditor_assets.rb b/db/migrate/20180813141443_create_ckeditor_assets.rb
index df3df2862..098933bce 100644
--- a/db/migrate/20180813141443_create_ckeditor_assets.rb
+++ b/db/migrate/20180813141443_create_ckeditor_assets.rb
@@ -7,10 +7,12 @@ class CreateCkeditorAssets < ActiveRecord::Migration
       t.string  :data_fingerprint
       t.string  :type, limit: 30
 
-      # Uncomment	it to save images dimensions, if your need it
+      # Uncomment	it to save images dimensions, if you need it
       t.integer :width
       t.integer :height
 
+      t.integer :user_id
+
       t.timestamps null: false
     end
 
diff --git a/db/schema.rb b/db/schema.rb
index e03b22ac7..3f7771736 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -302,6 +302,7 @@ ActiveRecord::Schema.define(version: 20180813141443) do
     t.string   "type",              limit: 30
     t.integer  "width"
     t.integer  "height"
+    t.integer  "user_id"
     t.datetime "created_at",                   null: false
     t.datetime "updated_at",                   null: false
   end
diff --git a/lib/wysiwyg_sanitizer.rb b/lib/wysiwyg_sanitizer.rb
index 681c7b5fd..64c26c34f 100644
--- a/lib/wysiwyg_sanitizer.rb
+++ b/lib/wysiwyg_sanitizer.rb
@@ -1,7 +1,7 @@
 class WYSIWYGSanitizer
 
-  ALLOWED_TAGS = %w(p ul ol li strong em u s)
-  ALLOWED_ATTRIBUTES = []
+  ALLOWED_TAGS = %w(p ul ol li strong em u s img a h1 h2 h3 h4 h6 pre addres div)
+  ALLOWED_ATTRIBUTES = %w(href style src alt)
 
   def sanitize(html)
     ActionController::Base.helpers.sanitize(html, tags: ALLOWED_TAGS, attributes: ALLOWED_ATTRIBUTES)