mirror of
https://github.com/we-promise/sure.git
synced 2026-04-07 22:34:47 +00:00
98ae6782dc
* feat(transaction): add support for file attachments using Active Storage * feat(attachments): implement transaction attachments with upload, show, and delete functionality * feat(attachments): enhance attachment upload functionality to support multiple files and improved error handling * feat(attachments): add attachment upload form and display functionality in transaction views * feat(attachments): implement attachment validation for count, size, and content type; enhance upload form with validation hints * fix(attachments): use correct UI components * feat(attachments): Implement Turbo Stream responses for creating and deleting transaction attachments. * fix(attachments): include auth in activestorage controller * test(attachments): add test coverage for turbostream and auth * feat(attachments): extract strings to i18n * fix(attachments): ensure only newly added attachments are purged when transaction validation fails. * fix(attachments): validate attachment params * refactor(attachments): use stimulus declarative actions * fix(attachments): add auth for other representations * refactor(attachments): use Browse component for attachment uploads * fix(attachments): reject empty values on attachment upload * fix(attachments): hide the upload form if reached max uploads * fix(attachments): correctly purge only newly added attachments on upload failure * fix(attachments): ensure attachment count limit is respected within a transaction lock * fix(attachments): update attachment parameter handling to avoid `ParameterMissing` errors. * fix(components): adjust icon_only logic for buttonish --------- Signed-off-by: Juan José Mata <juanjo.mata@gmail.com> Co-authored-by: Juan José Mata <juanjo.mata@gmail.com>
46 lines
1.3 KiB
Ruby
46 lines
1.3 KiB
Ruby
# Override Active Storage blob serving to enforce authorization
|
|
Rails.application.config.to_prepare do
|
|
module ActiveStorageAttachmentAuthorization
|
|
extend ActiveSupport::Concern
|
|
|
|
included do
|
|
include Authentication
|
|
before_action :authorize_transaction_attachment, if: :transaction_attachment?
|
|
end
|
|
|
|
private
|
|
|
|
def authorize_transaction_attachment
|
|
attachment = ActiveStorage::Attachment.find_by(blob: authorized_blob)
|
|
return unless attachment&.record_type == "Transaction"
|
|
|
|
transaction = attachment.record
|
|
|
|
# Check if current user has access to this transaction's family
|
|
unless Current.family == transaction.entry.account.family
|
|
raise ActiveRecord::RecordNotFound
|
|
end
|
|
end
|
|
|
|
def transaction_attachment?
|
|
return false unless authorized_blob
|
|
|
|
attachment = ActiveStorage::Attachment.find_by(blob: authorized_blob)
|
|
attachment&.record_type == "Transaction"
|
|
end
|
|
|
|
def authorized_blob
|
|
@blob || @representation&.blob
|
|
end
|
|
end
|
|
|
|
[
|
|
ActiveStorage::Blobs::RedirectController,
|
|
ActiveStorage::Blobs::ProxyController,
|
|
ActiveStorage::Representations::RedirectController,
|
|
ActiveStorage::Representations::ProxyController
|
|
].each do |controller|
|
|
controller.include ActiveStorageAttachmentAuthorization
|
|
end
|
|
end
|