Copy file endpoint #1382
Copy file endpoint #1382
Conversation
| @@ -610,6 +610,29 @@ def rr_access_dp | |||
|
|
|||
| end | |||
|
|
|||
| # API method to copy files from one DP to another via a bourreau | |||
| def file_copy #:nodoc: | |||
There was a problem hiding this comment.
Rejected for security. This action has no validation or verifications. It will copy any files to anywhere. Which means that if we deployed this, a normal user could copy any file, including those that belongs to the admins or other users, to their own data provider.
|
Rejected. The role of a controller action is to make sure all parameters are valid for the current session! |
|
Check legitimate access for
|
|
For point 3 of my previous comment, there is an excellent example already in the controllers, e.g. in userfiles = Userfile
.find_all_accessible_by_user(current_user, :access_requested => :write)
.where(:id => file_ids)except you'll have to change the |
| # Filter out userfile_ids that are not readable by the user | ||
| userfile_ids = Userfile.find_all_accessible_by_user(current_user, :access_requested => :read) | ||
| .where(:id => userfile_ids).pluck(:id) | ||
|
|
||
| bourreau.send_command_copy_files(userfile_ids, data_provider_id, current_user.id) | ||
| render :json => { :status => "ok" } |
There was a problem hiding this comment.
While you are at it, when not return some useful information in the JSON reply, like the number of files that were actually selected for the move? (userfile_ids.size) ?
|
Looks good to me. Before I merge, I want to discuss if this action is really a 'bourreau' action, or if it would be more appropriate in a different controller. We are selecting files to be copied to a data provider, so maybe it's userfile action, or a data provider action? |
No description provided.