2017-07-26 20:03:23 +01:00
|
|
|
// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
|
|
|
|
|
//
|
|
|
|
|
// This software (Documize Community Edition) is licensed under
|
|
|
|
|
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
|
|
|
|
|
//
|
|
|
|
|
// You can operate outside the AGPL restrictions by purchasing
|
|
|
|
|
// Documize Enterprise Edition and obtaining a commercial license
|
|
|
|
|
// by contacting <sales@documize.com>.
|
|
|
|
|
//
|
|
|
|
|
// https://documize.com
|
|
|
|
|
|
|
|
|
|
package attachment
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"bytes"
|
|
|
|
|
"database/sql"
|
|
|
|
|
"io"
|
|
|
|
|
"mime"
|
|
|
|
|
"net/http"
|
2018-12-19 12:41:36 +00:00
|
|
|
"strings"
|
2017-07-26 20:03:23 +01:00
|
|
|
|
|
|
|
|
"github.com/documize/community/core/env"
|
|
|
|
|
"github.com/documize/community/core/request"
|
|
|
|
|
"github.com/documize/community/core/response"
|
|
|
|
|
"github.com/documize/community/core/secrets"
|
|
|
|
|
"github.com/documize/community/core/uniqueid"
|
|
|
|
|
"github.com/documize/community/domain"
|
2019-06-11 18:03:28 +01:00
|
|
|
"github.com/documize/community/domain/auth"
|
2017-08-31 18:01:07 +01:00
|
|
|
"github.com/documize/community/domain/organization"
|
2017-09-18 17:53:42 +01:00
|
|
|
"github.com/documize/community/domain/permission"
|
2017-08-15 19:41:44 +01:00
|
|
|
indexer "github.com/documize/community/domain/search"
|
2018-09-27 15:14:48 +01:00
|
|
|
"github.com/documize/community/domain/store"
|
2017-07-26 20:03:23 +01:00
|
|
|
"github.com/documize/community/model/attachment"
|
|
|
|
|
"github.com/documize/community/model/audit"
|
2019-06-11 18:03:28 +01:00
|
|
|
"github.com/documize/community/model/space"
|
2018-03-14 13:38:37 +00:00
|
|
|
"github.com/documize/community/model/workflow"
|
2017-07-26 20:03:23 +01:00
|
|
|
uuid "github.com/nu7hatch/gouuid"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// Handler contains the runtime information such as logging and database.
|
|
|
|
|
type Handler struct {
|
|
|
|
|
Runtime *env.Runtime
|
2018-09-27 15:14:48 +01:00
|
|
|
Store *store.Store
|
2017-08-15 19:41:44 +01:00
|
|
|
Indexer indexer.Indexer
|
2017-07-26 20:03:23 +01:00
|
|
|
}
|
|
|
|
|
|
2018-06-25 19:40:04 +01:00
|
|
|
// Download sends requested file to the client/browser.
|
2017-07-26 20:03:23 +01:00
|
|
|
func (h *Handler) Download(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
method := "attachment.Download"
|
|
|
|
|
ctx := domain.GetRequestContext(r)
|
2017-08-31 18:01:07 +01:00
|
|
|
ctx.Subdomain = organization.GetSubdomainFromHost(r)
|
2018-12-19 12:41:36 +00:00
|
|
|
ctx.OrgID = request.Param(r, "orgID")
|
2017-07-26 20:03:23 +01:00
|
|
|
|
2018-12-19 12:41:36 +00:00
|
|
|
// Is caller permitted to download this attachment?
|
|
|
|
|
canDownload := false
|
2017-07-26 20:03:23 +01:00
|
|
|
|
2018-12-19 12:41:36 +00:00
|
|
|
// Do e have user authentication token?
|
|
|
|
|
authToken := strings.TrimSpace(request.Query(r, "token"))
|
|
|
|
|
|
|
|
|
|
// Do we have secure sharing token (for external users)?
|
|
|
|
|
secureToken := strings.TrimSpace(request.Query(r, "secure"))
|
|
|
|
|
|
|
|
|
|
// We now fetch attachment, the document and space it lives inside.
|
|
|
|
|
// Any data loading issue spells the end of this request.
|
|
|
|
|
|
|
|
|
|
// Get attachment being requested.
|
|
|
|
|
a, err := h.Store.Attachment.GetAttachment(ctx, ctx.OrgID, request.Param(r, "attachmentID"))
|
2017-07-26 20:03:23 +01:00
|
|
|
if err == sql.ErrNoRows {
|
2019-03-13 11:42:32 +00:00
|
|
|
response.WriteNotFoundError(w, method, request.Param(r, "attachmentID"))
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("get attachment", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-19 12:41:36 +00:00
|
|
|
// Get the document for this attachment
|
|
|
|
|
doc, err := h.Store.Document.Get(ctx, a.DocumentID)
|
|
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
|
response.WriteNotFoundError(w, method, a.DocumentID)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.Runtime.Log.Error("get attachment document", err)
|
|
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-11 18:03:28 +01:00
|
|
|
// Get the space for this attachment.
|
2018-12-19 12:41:36 +00:00
|
|
|
sp, err := h.Store.Space.Get(ctx, doc.SpaceID)
|
|
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
|
response.WriteNotFoundError(w, method, a.DocumentID)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.Runtime.Log.Error("get attachment document", err)
|
|
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-11 18:03:28 +01:00
|
|
|
// Get the organization for this request.
|
2019-01-16 16:55:43 +00:00
|
|
|
org, err := h.Store.Organization.GetOrganization(ctx, ctx.OrgID)
|
|
|
|
|
if err == sql.ErrNoRows {
|
|
|
|
|
response.WriteNotFoundError(w, method, a.DocumentID)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.Runtime.Log.Error("get attachment org", err)
|
|
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-19 12:41:36 +00:00
|
|
|
// At this point, all data associated data is loaded.
|
|
|
|
|
// We now begin security checks based upon the request.
|
|
|
|
|
|
|
|
|
|
// If attachment is in public space then anyone can download
|
2019-01-16 16:55:43 +00:00
|
|
|
if org.AllowAnonymousAccess && sp.Type == space.ScopePublic {
|
|
|
|
|
canDownload = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// External users can be sent secure document viewing links.
|
|
|
|
|
// Those documents may contain attachments that external viewers
|
|
|
|
|
// can download as required.
|
|
|
|
|
// Such secure document viewing links can have expiry dates.
|
|
|
|
|
if !canDownload && len(secureToken) > 0 {
|
2018-12-19 12:41:36 +00:00
|
|
|
canDownload = true
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// If an user authentication token was provided we check to see
|
|
|
|
|
// if user can view document.
|
|
|
|
|
// This check only applies to attachments NOT in public spaces.
|
2019-01-16 16:55:43 +00:00
|
|
|
if !canDownload && len(authToken) > 0 {
|
|
|
|
|
// Decode and check incoming token.
|
2018-12-19 12:41:36 +00:00
|
|
|
creds, _, err := auth.DecodeJWT(h.Runtime, authToken)
|
|
|
|
|
if err != nil {
|
|
|
|
|
h.Runtime.Log.Error("get attachment decode auth token", err)
|
|
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
// Check for tampering.
|
|
|
|
|
if ctx.OrgID != creds.OrgID {
|
|
|
|
|
h.Runtime.Log.Error("get attachment org ID mismatch", err)
|
|
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Use token-based user ID for subsequent processing.
|
|
|
|
|
ctx.UserID = creds.UserID
|
|
|
|
|
|
|
|
|
|
// Check to see if user can view BOTH space and document.
|
|
|
|
|
if !permission.CanViewSpace(ctx, *h.Store, sp.RefID) || !permission.CanViewDocument(ctx, *h.Store, a.DocumentID) {
|
|
|
|
|
h.Runtime.Log.Error("get attachment cannot view document", err)
|
|
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Authenticated user can view attachment.
|
|
|
|
|
canDownload = true
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-10 20:03:34 +01:00
|
|
|
if !canDownload && len(secureToken) == 0 && len(authToken) == 0 {
|
2019-03-13 11:42:32 +00:00
|
|
|
h.Runtime.Log.Error("get attachment received no access token", err)
|
|
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-19 12:41:36 +00:00
|
|
|
// Send back error if caller unable view attachment
|
|
|
|
|
if !canDownload {
|
|
|
|
|
h.Runtime.Log.Error("get attachment refused", err)
|
|
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// At this point, user can view attachment so we send it back!
|
2017-07-26 20:03:23 +01:00
|
|
|
typ := mime.TypeByExtension("." + a.Extension)
|
|
|
|
|
if typ == "" {
|
|
|
|
|
typ = "application/octet-stream"
|
|
|
|
|
}
|
|
|
|
|
|
2019-06-11 18:03:28 +01:00
|
|
|
dataSize := len(a.Data)
|
|
|
|
|
|
2019-11-14 17:38:53 +00:00
|
|
|
// w.WriteHeader(http.StatusOK)
|
2017-07-26 20:03:23 +01:00
|
|
|
w.Header().Set("Content-Type", typ)
|
|
|
|
|
w.Header().Set("Content-Disposition", `Attachment; filename="`+a.Filename+`" ; `+`filename*="`+a.Filename+`"`)
|
2019-06-11 18:03:28 +01:00
|
|
|
if dataSize != 0 {
|
|
|
|
|
w.Header().Set("Content-Length", string(dataSize))
|
|
|
|
|
}
|
2017-07-26 20:03:23 +01:00
|
|
|
|
|
|
|
|
_, err = w.Write(a.Data)
|
|
|
|
|
if err != nil {
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("write attachment", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
h.Store.Audit.Record(ctx, audit.EventTypeAttachmentDownload)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Get is an end-point that returns all of the attachments of a particular documentID.
|
|
|
|
|
func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
method := "attachment.GetAttachments"
|
|
|
|
|
ctx := domain.GetRequestContext(r)
|
|
|
|
|
|
|
|
|
|
documentID := request.Param(r, "documentID")
|
|
|
|
|
if len(documentID) == 0 {
|
|
|
|
|
response.WriteMissingDataError(w, method, "documentID")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-18 17:53:42 +01:00
|
|
|
if !permission.CanViewDocument(ctx, *h.Store, documentID) {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
a, err := h.Store.Attachment.GetAttachments(ctx, documentID)
|
|
|
|
|
if err != nil && err != sql.ErrNoRows {
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("get attachment", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
if len(a) == 0 {
|
|
|
|
|
a = []attachment.Attachment{}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
response.WriteJSON(w, a)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Delete is an endpoint that deletes a particular document attachment.
|
|
|
|
|
func (h *Handler) Delete(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
method := "attachment.DeleteAttachment"
|
|
|
|
|
ctx := domain.GetRequestContext(r)
|
|
|
|
|
|
|
|
|
|
documentID := request.Param(r, "documentID")
|
|
|
|
|
if len(documentID) == 0 {
|
|
|
|
|
response.WriteMissingDataError(w, method, "documentID")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
attachmentID := request.Param(r, "attachmentID")
|
|
|
|
|
if len(attachmentID) == 0 {
|
|
|
|
|
response.WriteMissingDataError(w, method, "attachmentID")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2017-09-18 17:53:42 +01:00
|
|
|
if !permission.CanChangeDocument(ctx, *h.Store, documentID) {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var err error
|
|
|
|
|
ctx.Transaction, err = h.Runtime.Db.Beginx()
|
|
|
|
|
if err != nil {
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("transaction", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = h.Store.Attachment.Delete(ctx, attachmentID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.Transaction.Rollback()
|
|
|
|
|
response.WriteServerError(w, method, err)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("delete attachment", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Mark references to this document as orphaned
|
|
|
|
|
err = h.Store.Link.MarkOrphanAttachmentLink(ctx, attachmentID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.Transaction.Rollback()
|
|
|
|
|
response.WriteServerError(w, method, err)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("delete attachment links", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx.Transaction.Commit()
|
|
|
|
|
|
2018-02-04 15:43:57 +00:00
|
|
|
h.Store.Audit.Record(ctx, audit.EventTypeAttachmentDelete)
|
|
|
|
|
|
2017-08-15 19:41:44 +01:00
|
|
|
a, _ := h.Store.Attachment.GetAttachments(ctx, documentID)
|
|
|
|
|
d, _ := h.Store.Document.Get(ctx, documentID)
|
2018-03-14 13:38:37 +00:00
|
|
|
|
|
|
|
|
if d.Lifecycle == workflow.LifecycleLive {
|
|
|
|
|
go h.Indexer.IndexDocument(ctx, d, a)
|
|
|
|
|
} else {
|
|
|
|
|
go h.Indexer.DeleteDocument(ctx, d.RefID)
|
|
|
|
|
}
|
2017-08-15 19:41:44 +01:00
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteEmpty(w)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Add stores files against a document.
|
|
|
|
|
func (h *Handler) Add(w http.ResponseWriter, r *http.Request) {
|
|
|
|
|
method := "attachment.Add"
|
|
|
|
|
ctx := domain.GetRequestContext(r)
|
|
|
|
|
|
|
|
|
|
documentID := request.Param(r, "documentID")
|
|
|
|
|
if len(documentID) == 0 {
|
|
|
|
|
response.WriteMissingDataError(w, method, "documentID")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
2019-04-17 17:13:18 +01:00
|
|
|
// File can be associated with a section as well.
|
|
|
|
|
sectionID := request.Query(r, "page")
|
|
|
|
|
|
2017-09-18 17:53:42 +01:00
|
|
|
if !permission.CanChangeDocument(ctx, *h.Store, documentID) {
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteForbiddenError(w)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
filedata, filename, err := r.FormFile("attachment")
|
|
|
|
|
if err != nil {
|
|
|
|
|
response.WriteMissingDataError(w, method, "attachment")
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
b := new(bytes.Buffer)
|
|
|
|
|
_, err = io.Copy(b, filedata)
|
|
|
|
|
if err != nil {
|
|
|
|
|
response.WriteServerError(w, method, err)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("add attachment", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var job = "some-uuid"
|
|
|
|
|
newUUID, err := uuid.NewV4()
|
|
|
|
|
if err != nil {
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("uuid", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteServerError(w, method, err)
|
|
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
job = newUUID.String()
|
|
|
|
|
|
|
|
|
|
var a attachment.Attachment
|
|
|
|
|
refID := uniqueid.Generate()
|
|
|
|
|
a.RefID = refID
|
|
|
|
|
a.DocumentID = documentID
|
|
|
|
|
a.Job = job
|
|
|
|
|
random := secrets.GenerateSalt()
|
|
|
|
|
a.FileID = random[0:9]
|
|
|
|
|
a.Filename = filename.Filename
|
|
|
|
|
a.Data = b.Bytes()
|
2019-04-17 17:13:18 +01:00
|
|
|
a.SectionID = sectionID
|
2017-07-26 20:03:23 +01:00
|
|
|
|
|
|
|
|
ctx.Transaction, err = h.Runtime.Db.Beginx()
|
|
|
|
|
if err != nil {
|
|
|
|
|
response.WriteServerError(w, method, err)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("transaction", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
err = h.Store.Attachment.Add(ctx, a)
|
|
|
|
|
if err != nil {
|
|
|
|
|
ctx.Transaction.Rollback()
|
|
|
|
|
response.WriteServerError(w, method, err)
|
2017-08-03 10:00:24 +01:00
|
|
|
h.Runtime.Log.Error("add attachment", err)
|
2017-07-26 20:03:23 +01:00
|
|
|
return
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ctx.Transaction.Commit()
|
|
|
|
|
|
2018-02-04 15:43:57 +00:00
|
|
|
h.Store.Audit.Record(ctx, audit.EventTypeAttachmentAdd)
|
|
|
|
|
|
2017-08-15 19:41:44 +01:00
|
|
|
all, _ := h.Store.Attachment.GetAttachments(ctx, documentID)
|
|
|
|
|
d, _ := h.Store.Document.Get(ctx, documentID)
|
2018-03-14 13:38:37 +00:00
|
|
|
|
|
|
|
|
if d.Lifecycle == workflow.LifecycleLive {
|
|
|
|
|
go h.Indexer.IndexDocument(ctx, d, all)
|
|
|
|
|
} else {
|
|
|
|
|
go h.Indexer.DeleteDocument(ctx, d.RefID)
|
|
|
|
|
}
|
2017-08-15 19:41:44 +01:00
|
|
|
|
2017-07-26 20:03:23 +01:00
|
|
|
response.WriteEmpty(w)
|
|
|
|
|
}
|
