Restrict access to uploads #2088
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
pixeltrix
force-pushed
the
restrict-access-to-uploads
branch
4 times, most recently
from
10541d9 to
7711eea
Compare
pixeltrix
force-pushed
the
restrict-access-to-uploads
branch
5 times, most recently
from
5fb2b97 to
d23f4a0
Compare
pixeltrix
commented
Jan 14, 2025
| @@ -209,12 +226,11 @@ class NotArchiveableError < StandardError; end | |||
| validate :numbered | |||
| validate :created_date_is_in_the_past | |||
|
|
|||
| default_scope -> { no_owner.or(not_excluded_owners) } | |||
|
|
|||
There was a problem hiding this comment.
This needed to be removed so the uploads engine could find all documents for checking the blob key
| .or(where(file_preview_variant_blobs: {key:})) | ||
| .distinct.sole | ||
| end | ||
|
|
There was a problem hiding this comment.
This huge block is so we can find a document through a local authority and prevent someone using access in one local authority to access a document in another authority.
There was a problem hiding this comment.
Doing an EXPLAIN on the query shows it's not great so continuing to look at other options.
| @@ -6,3 +7,4 @@ GROUPED_PROPOSAL_DETAILS_FEATURE=enabled | |||
| GOOGLE_TAG_MANAGER_ID=GTM-XXXXXXXX | |||
| UPLOADS_HOSTNAME=uploads.bops.localhost | |||
| UPLOADS_BASE_URL=http://uploads.bops.localhost:3000 | |||
| USE_SIGNED_URLS=false | |||
There was a problem hiding this comment.
Need to deploy this to staging so we can test it but don't want to break the app so this controls whether it uses the current urls or the new urls.
This is so they can be reused in other engines.
This is the first step in adding signed cookies.
The default scope prevents the bops_uploads module from finding the correct document for a blob key if it is a site visit, press notice, etc.
pixeltrix
force-pushed
the
restrict-access-to-uploads
branch
from
d23f4a0 to
159f73d
Compare
benjamineskola
approved these changes
Jan 15, 2025
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description of change
Use CloudFront signed cookies to prevent premature access to planning application documents.
Story Link
https://trello.com/c/1VP9wgYz