documize/domain/attachment/endpoint.go

// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com

package attachment

import (
	"bytes"
	"database/sql"
	"fmt"
	"io"
	"mime"
	"net/http"

	"github.com/documize/community/core/env"
	"github.com/documize/community/core/request"
	"github.com/documize/community/core/response"
	"github.com/documize/community/core/secrets"
	"github.com/documize/community/core/uniqueid"
	"github.com/documize/community/domain"
	"github.com/documize/community/domain/organization"
	"github.com/documize/community/domain/permission"
	indexer "github.com/documize/community/domain/search"
	"github.com/documize/community/domain/store"
	"github.com/documize/community/model/attachment"
	"github.com/documize/community/model/audit"
	"github.com/documize/community/model/workflow"
	uuid "github.com/nu7hatch/gouuid"
)

// Handler contains the runtime information such as logging and database.
type Handler struct {
	Runtime *env.Runtime
	Store   *store.Store
	Indexer indexer.Indexer
}

// Download sends requested file to the client/browser.
func (h *Handler) Download(w http.ResponseWriter, r *http.Request) {
	method := "attachment.Download"
	ctx := domain.GetRequestContext(r)
	ctx.Subdomain = organization.GetSubdomainFromHost(r)

	a, err := h.Store.Attachment.GetAttachment(ctx, request.Param(r, "orgID"), request.Param(r, "attachmentID"))

	if err == sql.ErrNoRows {
		response.WriteNotFoundError(w, method, request.Param(r, "fileID"))
		return
	}
	if err != nil {
		h.Runtime.Log.Error("get attachment", err)
		response.WriteServerError(w, method, err)
		return
	}

	typ := mime.TypeByExtension("." + a.Extension)
	if typ == "" {
		typ = "application/octet-stream"
	}

	w.Header().Set("Content-Type", typ)
	w.Header().Set("Content-Disposition", `Attachment; filename="`+a.Filename+`" ; `+`filename*="`+a.Filename+`"`)
	w.Header().Set("Content-Length", fmt.Sprintf("%d", len(a.Data)))
	w.WriteHeader(http.StatusOK)

	_, err = w.Write(a.Data)
	if err != nil {
		h.Runtime.Log.Error("write attachment", err)
		return
	}

	h.Store.Audit.Record(ctx, audit.EventTypeAttachmentDownload)
}

// Get is an end-point that returns all of the attachments of a particular documentID.
func (h *Handler) Get(w http.ResponseWriter, r *http.Request) {
	method := "attachment.GetAttachments"
	ctx := domain.GetRequestContext(r)

	documentID := request.Param(r, "documentID")
	if len(documentID) == 0 {
		response.WriteMissingDataError(w, method, "documentID")
		return
	}

	if !permission.CanViewDocument(ctx, *h.Store, documentID) {
		response.WriteForbiddenError(w)
		return
	}

	a, err := h.Store.Attachment.GetAttachments(ctx, documentID)
	if err != nil && err != sql.ErrNoRows {
		h.Runtime.Log.Error("get attachment", err)
		response.WriteServerError(w, method, err)
		return
	}

	if len(a) == 0 {
		a = []attachment.Attachment{}
	}

	response.WriteJSON(w, a)
}

// Delete is an endpoint that deletes a particular document attachment.
func (h *Handler) Delete(w http.ResponseWriter, r *http.Request) {
	method := "attachment.DeleteAttachment"
	ctx := domain.GetRequestContext(r)

	documentID := request.Param(r, "documentID")
	if len(documentID) == 0 {
		response.WriteMissingDataError(w, method, "documentID")
		return
	}

	attachmentID := request.Param(r, "attachmentID")
	if len(attachmentID) == 0 {
		response.WriteMissingDataError(w, method, "attachmentID")
		return
	}

	if !permission.CanChangeDocument(ctx, *h.Store, documentID) {
		response.WriteForbiddenError(w)
		return
	}

	var err error
	ctx.Transaction, err = h.Runtime.Db.Beginx()
	if err != nil {
		h.Runtime.Log.Error("transaction", err)
		response.WriteServerError(w, method, err)
		return
	}

	_, err = h.Store.Attachment.Delete(ctx, attachmentID)
	if err != nil {
		ctx.Transaction.Rollback()
		response.WriteServerError(w, method, err)
		h.Runtime.Log.Error("delete attachment", err)
		return
	}

	// Mark references to this document as orphaned
	err = h.Store.Link.MarkOrphanAttachmentLink(ctx, attachmentID)
	if err != nil {
		ctx.Transaction.Rollback()
		response.WriteServerError(w, method, err)
		h.Runtime.Log.Error("delete attachment links", err)
		return
	}

	ctx.Transaction.Commit()

	h.Store.Audit.Record(ctx, audit.EventTypeAttachmentDelete)

	a, _ := h.Store.Attachment.GetAttachments(ctx, documentID)
	d, _ := h.Store.Document.Get(ctx, documentID)

	if d.Lifecycle == workflow.LifecycleLive {
		go h.Indexer.IndexDocument(ctx, d, a)
	} else {
		go h.Indexer.DeleteDocument(ctx, d.RefID)
	}

	response.WriteEmpty(w)
}

// Add stores files against a document.
func (h *Handler) Add(w http.ResponseWriter, r *http.Request) {
	method := "attachment.Add"
	ctx := domain.GetRequestContext(r)

	documentID := request.Param(r, "documentID")
	if len(documentID) == 0 {
		response.WriteMissingDataError(w, method, "documentID")
		return
	}

	if !permission.CanChangeDocument(ctx, *h.Store, documentID) {
		response.WriteForbiddenError(w)
		return
	}

	filedata, filename, err := r.FormFile("attachment")
	if err != nil {
		response.WriteMissingDataError(w, method, "attachment")
		return
	}

	b := new(bytes.Buffer)
	_, err = io.Copy(b, filedata)
	if err != nil {
		response.WriteServerError(w, method, err)
		h.Runtime.Log.Error("add attachment", err)
		return
	}

	var job = "some-uuid"
	newUUID, err := uuid.NewV4()
	if err != nil {
		h.Runtime.Log.Error("uuid", err)
		response.WriteServerError(w, method, err)
		return
	}
	job = newUUID.String()

	var a attachment.Attachment
	refID := uniqueid.Generate()
	a.RefID = refID
	a.DocumentID = documentID
	a.Job = job
	random := secrets.GenerateSalt()
	a.FileID = random[0:9]
	a.Filename = filename.Filename
	a.Data = b.Bytes()

	ctx.Transaction, err = h.Runtime.Db.Beginx()
	if err != nil {
		response.WriteServerError(w, method, err)
		h.Runtime.Log.Error("transaction", err)
		return
	}

	err = h.Store.Attachment.Add(ctx, a)
	if err != nil {
		ctx.Transaction.Rollback()
		response.WriteServerError(w, method, err)
		h.Runtime.Log.Error("add attachment", err)
		return
	}

	ctx.Transaction.Commit()

	h.Store.Audit.Record(ctx, audit.EventTypeAttachmentAdd)

	all, _ := h.Store.Attachment.GetAttachments(ctx, documentID)
	d, _ := h.Store.Document.Get(ctx, documentID)

	if d.Lifecycle == workflow.LifecycleLive {
		go h.Indexer.IndexDocument(ctx, d, all)
	} else {
		go h.Indexer.DeleteDocument(ctx, d.RefID)
	}

	response.WriteEmpty(w)
}
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.`
			`//`
			`// This software (Documize Community Edition) is licensed under`
			`// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html`
			`//`
			`// You can operate outside the AGPL restrictions by purchasing`
			`// Documize Enterprise Edition and obtaining a commercial license`
			`// by contacting <sales@documize.com>.`
			`//`
			`// https://documize.com`

			`package attachment`

			`import (`
			`"bytes"`
			`"database/sql"`
			`"fmt"`
			`"io"`
			`"mime"`
			`"net/http"`

			`"github.com/documize/community/core/env"`
			`"github.com/documize/community/core/request"`
			`"github.com/documize/community/core/response"`
			`"github.com/documize/community/core/secrets"`
			`"github.com/documize/community/core/uniqueid"`
			`"github.com/documize/community/domain"`
permission screen UI overflow fix 1. handle long username overflow on space permissions screen 2. only show document history to editors 3. removed redundant document editing permission check 4. Ensure subdomain is detected when accepting space invitation 2017-08-31 18:01:07 +01:00			`"github.com/documize/community/domain/organization"`
refactored permission code 2017-09-18 17:53:42 +01:00			`"github.com/documize/community/domain/permission"`
add entries to search index 2017-08-15 19:41:44 +01:00			`indexer "github.com/documize/community/domain/search"`
Continued MySQL/PostgreSQL store provider refactoring Refactored, renamed, removed storage related code. Basic smoke test passed for PostgreSQL whilst fully working on MySQL variants as per usual. 2018-09-27 15:14:48 +01:00			`"github.com/documize/community/domain/store"`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`"github.com/documize/community/model/attachment"`
			`"github.com/documize/community/model/audit"`
Provider foundation for doc lifecycle and versions 2018-03-14 13:38:37 +00:00			`"github.com/documize/community/model/workflow"`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`uuid "github.com/nu7hatch/gouuid"`
			`)`

			`// Handler contains the runtime information such as logging and database.`
			`type Handler struct {`
			`Runtime *env.Runtime`
Continued MySQL/PostgreSQL store provider refactoring Refactored, renamed, removed storage related code. Basic smoke test passed for PostgreSQL whilst fully working on MySQL variants as per usual. 2018-09-27 15:14:48 +01:00			`Store *store.Store`
add entries to search index 2017-08-15 19:41:44 +01:00			`Indexer indexer.Indexer`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`}`

Comment fix for attachment endpoint 2018-06-25 19:40:04 +01:00			`// Download sends requested file to the client/browser.`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`func (h Handler) Download(w http.ResponseWriter, r http.Request) {`
			`method := "attachment.Download"`
			`ctx := domain.GetRequestContext(r)`
permission screen UI overflow fix 1. handle long username overflow on space permissions screen 2. only show document history to editors 3. removed redundant document editing permission check 4. Ensure subdomain is detected when accepting space invitation 2017-08-31 18:01:07 +01:00			`ctx.Subdomain = organization.GetSubdomainFromHost(r)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00
			`a, err := h.Store.Attachment.GetAttachment(ctx, request.Param(r, "orgID"), request.Param(r, "attachmentID"))`

			`if err == sql.ErrNoRows {`
			`response.WriteNotFoundError(w, method, request.Param(r, "fileID"))`
			`return`
			`}`
			`if err != nil {`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("get attachment", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteServerError(w, method, err)`
			`return`
			`}`

			`typ := mime.TypeByExtension("." + a.Extension)`
			`if typ == "" {`
			`typ = "application/octet-stream"`
			`}`

			`w.Header().Set("Content-Type", typ)`
			w.Header().Set("Content-Disposition", `Attachment; filename="`+a.Filename+`" ; `+`filename*="`+a.Filename+`"`)
			`w.Header().Set("Content-Length", fmt.Sprintf("%d", len(a.Data)))`
			`w.WriteHeader(http.StatusOK)`

			`_, err = w.Write(a.Data)`
			`if err != nil {`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("write attachment", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`return`
			`}`

			`h.Store.Audit.Record(ctx, audit.EventTypeAttachmentDownload)`
			`}`

			`// Get is an end-point that returns all of the attachments of a particular documentID.`
			`func (h Handler) Get(w http.ResponseWriter, r http.Request) {`
			`method := "attachment.GetAttachments"`
			`ctx := domain.GetRequestContext(r)`

			`documentID := request.Param(r, "documentID")`
			`if len(documentID) == 0 {`
			`response.WriteMissingDataError(w, method, "documentID")`
			`return`
			`}`

refactored permission code 2017-09-18 17:53:42 +01:00			`if !permission.CanViewDocument(ctx, *h.Store, documentID) {`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteForbiddenError(w)`
			`return`
			`}`

			`a, err := h.Store.Attachment.GetAttachments(ctx, documentID)`
			`if err != nil && err != sql.ErrNoRows {`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("get attachment", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteServerError(w, method, err)`
			`return`
			`}`

			`if len(a) == 0 {`
			`a = []attachment.Attachment{}`
			`}`

			`response.WriteJSON(w, a)`
			`}`

			`// Delete is an endpoint that deletes a particular document attachment.`
			`func (h Handler) Delete(w http.ResponseWriter, r http.Request) {`
			`method := "attachment.DeleteAttachment"`
			`ctx := domain.GetRequestContext(r)`

			`documentID := request.Param(r, "documentID")`
			`if len(documentID) == 0 {`
			`response.WriteMissingDataError(w, method, "documentID")`
			`return`
			`}`

			`attachmentID := request.Param(r, "attachmentID")`
			`if len(attachmentID) == 0 {`
			`response.WriteMissingDataError(w, method, "attachmentID")`
			`return`
			`}`

refactored permission code 2017-09-18 17:53:42 +01:00			`if !permission.CanChangeDocument(ctx, *h.Store, documentID) {`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteForbiddenError(w)`
			`return`
			`}`

			`var err error`
			`ctx.Transaction, err = h.Runtime.Db.Beginx()`
			`if err != nil {`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("transaction", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteServerError(w, method, err)`
			`return`
			`}`

			`_, err = h.Store.Attachment.Delete(ctx, attachmentID)`
			`if err != nil {`
			`ctx.Transaction.Rollback()`
			`response.WriteServerError(w, method, err)`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("delete attachment", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`return`
			`}`

			`// Mark references to this document as orphaned`
			`err = h.Store.Link.MarkOrphanAttachmentLink(ctx, attachmentID)`
			`if err != nil {`
			`ctx.Transaction.Rollback()`
			`response.WriteServerError(w, method, err)`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("delete attachment links", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`return`
			`}`

			`ctx.Transaction.Commit()`

Fix order of DB transaction commits Some DB commit commands were out of sequence and so have been fixed to be consist across the board. Specially, audit log entries have their own DB TX and so should be executed outside of any other commit cycle. 2018-02-04 15:43:57 +00:00			`h.Store.Audit.Record(ctx, audit.EventTypeAttachmentDelete)`

add entries to search index 2017-08-15 19:41:44 +01:00			`a, _ := h.Store.Attachment.GetAttachments(ctx, documentID)`
			`d, _ := h.Store.Document.Get(ctx, documentID)`
Provider foundation for doc lifecycle and versions 2018-03-14 13:38:37 +00:00
			`if d.Lifecycle == workflow.LifecycleLive {`
			`go h.Indexer.IndexDocument(ctx, d, a)`
			`} else {`
			`go h.Indexer.DeleteDocument(ctx, d.RefID)`
			`}`
add entries to search index 2017-08-15 19:41:44 +01:00
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteEmpty(w)`
			`}`

			`// Add stores files against a document.`
			`func (h Handler) Add(w http.ResponseWriter, r http.Request) {`
			`method := "attachment.Add"`
			`ctx := domain.GetRequestContext(r)`

			`documentID := request.Param(r, "documentID")`
			`if len(documentID) == 0 {`
			`response.WriteMissingDataError(w, method, "documentID")`
			`return`
			`}`

refactored permission code 2017-09-18 17:53:42 +01:00			`if !permission.CanChangeDocument(ctx, *h.Store, documentID) {`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteForbiddenError(w)`
			`return`
			`}`

			`filedata, filename, err := r.FormFile("attachment")`
			`if err != nil {`
			`response.WriteMissingDataError(w, method, "attachment")`
			`return`
			`}`

			`b := new(bytes.Buffer)`
			`_, err = io.Copy(b, filedata)`
			`if err != nil {`
			`response.WriteServerError(w, method, err)`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("add attachment", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`return`
			`}`

			`var job = "some-uuid"`
			`newUUID, err := uuid.NewV4()`
			`if err != nil {`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("uuid", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteServerError(w, method, err)`
			`return`
			`}`
			`job = newUUID.String()`

			`var a attachment.Attachment`
			`refID := uniqueid.Generate()`
			`a.RefID = refID`
			`a.DocumentID = documentID`
			`a.Job = job`
			`random := secrets.GenerateSalt()`
			`a.FileID = random[0:9]`
			`a.Filename = filename.Filename`
			`a.Data = b.Bytes()`

			`ctx.Transaction, err = h.Runtime.Db.Beginx()`
			`if err != nil {`
			`response.WriteServerError(w, method, err)`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("transaction", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`return`
			`}`

			`err = h.Store.Attachment.Add(ctx, a)`
			`if err != nil {`
			`ctx.Transaction.Rollback()`
			`response.WriteServerError(w, method, err)`
wrap errors up, log at top level only 2017-08-03 10:00:24 +01:00			`h.Runtime.Log.Error("add attachment", err)`
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`return`
			`}`

			`ctx.Transaction.Commit()`

Fix order of DB transaction commits Some DB commit commands were out of sequence and so have been fixed to be consist across the board. Specially, audit log entries have their own DB TX and so should be executed outside of any other commit cycle. 2018-02-04 15:43:57 +00:00			`h.Store.Audit.Record(ctx, audit.EventTypeAttachmentAdd)`

add entries to search index 2017-08-15 19:41:44 +01:00			`all, _ := h.Store.Attachment.GetAttachments(ctx, documentID)`
			`d, _ := h.Store.Document.Get(ctx, documentID)`
Provider foundation for doc lifecycle and versions 2018-03-14 13:38:37 +00:00
			`if d.Lifecycle == workflow.LifecycleLive {`
			`go h.Indexer.IndexDocument(ctx, d, all)`
			`} else {`
			`go h.Indexer.DeleteDocument(ctx, d.RefID)`
			`}`
add entries to search index 2017-08-15 19:41:44 +01:00
still moving codebase to new API (WIP) 2017-07-26 20:03:23 +01:00			`response.WriteEmpty(w)`
			`}`