Use controllers to serve uploads, with XSS prevention and access control.

author: Douwe Maan <douwe@gitlab.com> 2015-02-20 13:13:48 +0100
committer: Douwe Maan <douwe@gitlab.com> 2015-02-20 13:13:48 +0100
commit: 00ca490259de684f4240de4f61728b8eaefbb13e (patch)
tree: 1b27729d864898dc8c87473359ad642b7432ce3b /app/controllers/projects/uploads_controller.rb
parent: 4310431ee73fdd6aa3874aaccc0a901252e7f61f (diff)
download: gitlab-ce-00ca490259de684f4240de4f61728b8eaefbb13e.tar.gz
1 files changed, 19 insertions, 0 deletions
diff --git a/app/controllers/projects/uploads_controller.rb b/app/controllers/projects/uploads_controller.rb
new file mode 100644
index 00000000000..b922b56418a
--- /dev/null
+++ b/app/controllers/projects/uploads_controller.rb
@@ -0,0 +1,19 @@
+class Projects::UploadsController < Projects::ApplicationController
+  layout "project"
+
+  before_filter :project
+
+  def show
+    path = File.join(project.path_with_namespace, params[:secret])
+    uploader = FileUploader.new('uploads', path)
+
+    uploader.retrieve_from_store!(params[:filename])
+
+    if uploader.file.exists?
+      # Right now, these are always images, so we can safely render them inline.
+      send_file uploader.file.path, disposition: 'inline'
+    else
+      not_found!
+    end
+  end
+end
+\ No newline at end of file
author	Douwe Maan <douwe@gitlab.com>	2015-02-20 13:13:48 +0100
committer	Douwe Maan <douwe@gitlab.com>	2015-02-20 13:13:48 +0100
commit	00ca490259de684f4240de4f61728b8eaefbb13e (patch)
tree	1b27729d864898dc8c87473359ad642b7432ce3b /app/controllers/projects/uploads_controller.rb
parent	4310431ee73fdd6aa3874aaccc0a901252e7f61f (diff)
download	gitlab-ce-00ca490259de684f4240de4f61728b8eaefbb13e.tar.gz