summaryrefslogtreecommitdiffstats
path: root/models
diff options
context:
space:
mode:
authorLauri Ojansivu <x@xet7.org>2018-05-18 15:20:20 +0300
committerLauri Ojansivu <x@xet7.org>2018-05-18 15:20:20 +0300
commit9b465bc98bd0e0125fa1d99369f1ed7ee47d9e63 (patch)
tree8527b80be1dba22126ce03381c9cc9c5a33958ad /models
parentef99e6a6b1cd8d55fdab9ff94e7bfc3d5c538b8f (diff)
downloadwekan-9b465bc98bd0e0125fa1d99369f1ed7ee47d9e63.tar.gz
wekan-9b465bc98bd0e0125fa1d99369f1ed7ee47d9e63.tar.bz2
wekan-9b465bc98bd0e0125fa1d99369f1ed7ee47d9e63.zip
Fix lint errors back to eslint requirements.
Diffstat (limited to 'models')
-rw-r--r--models/attachments.js158
1 files changed, 79 insertions, 79 deletions
diff --git a/models/attachments.js b/models/attachments.js
index 5e5c4926..91dd0dbc 100644
--- a/models/attachments.js
+++ b/models/attachments.js
@@ -1,90 +1,90 @@
- Attachments = new FS.Collection('attachments', {
- stores: [
+Attachments = new FS.Collection('attachments', {
+ stores: [
- // XXX Add a new store for cover thumbnails so we don't load big images in
- // the general board view
- new FS.Store.GridFS('attachments', {
- // If the uploaded document is not an image we need to enforce browser
- // download instead of execution. This is particularly important for HTML
- // files that the browser will just execute if we don't serve them with the
- // appropriate `application/octet-stream` MIME header which can lead to user
- // data leaks. I imagine other formats (like PDF) can also be attack vectors.
- // See https://github.com/wekan/wekan/issues/99
- // XXX Should we use `beforeWrite` option of CollectionFS instead of
- // collection-hooks?
- // We should use `beforeWrite`.
- beforeWrite: (fileObj) => {
- if (!fileObj.isImage()) {
- return {
- type: 'application/octet-stream',
- };
- }
- return {};
- },
- }),
- ],
- });
-
-
- if (Meteor.isServer) {
- Attachments.allow({
- insert(userId, doc) {
- return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
- },
- update(userId, doc) {
- return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
- },
- remove(userId, doc) {
- return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
- },
- // We authorize the attachment download either:
- // - if the board is public, everyone (even unconnected) can download it
- // - if the board is private, only board members can download it
- download(userId, doc) {
- const board = Boards.findOne(doc.boardId);
- if (board.isPublic()) {
- return true;
- } else {
- return board.hasMember(userId);
+ // XXX Add a new store for cover thumbnails so we don't load big images in
+ // the general board view
+ new FS.Store.GridFS('attachments', {
+ // If the uploaded document is not an image we need to enforce browser
+ // download instead of execution. This is particularly important for HTML
+ // files that the browser will just execute if we don't serve them with the
+ // appropriate `application/octet-stream` MIME header which can lead to user
+ // data leaks. I imagine other formats (like PDF) can also be attack vectors.
+ // See https://github.com/wekan/wekan/issues/99
+ // XXX Should we use `beforeWrite` option of CollectionFS instead of
+ // collection-hooks?
+ // We should use `beforeWrite`.
+ beforeWrite: (fileObj) => {
+ if (!fileObj.isImage()) {
+ return {
+ type: 'application/octet-stream',
+ };
}
+ return {};
},
+ }),
+ ],
+});
- fetch: ['boardId'],
- });
- }
-
- // XXX Enforce a schema for the Attachments CollectionFS
- if (Meteor.isServer) {
- Attachments.files.after.insert((userId, doc) => {
- // If the attachment doesn't have a source field
- // or its source is different than import
- if (!doc.source || doc.source !== 'import') {
- // Add activity about adding the attachment
- Activities.insert({
- userId,
- type: 'card',
- activityType: 'addAttachment',
- attachmentId: doc._id,
- boardId: doc.boardId,
- cardId: doc.cardId,
- });
+if (Meteor.isServer) {
+ Attachments.allow({
+ insert(userId, doc) {
+ return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
+ },
+ update(userId, doc) {
+ return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
+ },
+ remove(userId, doc) {
+ return allowIsBoardMember(userId, Boards.findOne(doc.boardId));
+ },
+ // We authorize the attachment download either:
+ // - if the board is public, everyone (even unconnected) can download it
+ // - if the board is private, only board members can download it
+ download(userId, doc) {
+ const board = Boards.findOne(doc.boardId);
+ if (board.isPublic()) {
+ return true;
} else {
- // Don't add activity about adding the attachment as the activity
- // be imported and delete source field
- Attachments.update({
- _id: doc._id,
- }, {
- $unset: {
- source: '',
- },
- });
+ return board.hasMember(userId);
}
- });
+ },
+
+ fetch: ['boardId'],
+ });
+}
- Attachments.files.after.remove((userId, doc) => {
- Activities.remove({
+// XXX Enforce a schema for the Attachments CollectionFS
+
+if (Meteor.isServer) {
+ Attachments.files.after.insert((userId, doc) => {
+ // If the attachment doesn't have a source field
+ // or its source is different than import
+ if (!doc.source || doc.source !== 'import') {
+ // Add activity about adding the attachment
+ Activities.insert({
+ userId,
+ type: 'card',
+ activityType: 'addAttachment',
attachmentId: doc._id,
+ boardId: doc.boardId,
+ cardId: doc.cardId,
});
+ } else {
+ // Don't add activity about adding the attachment as the activity
+ // be imported and delete source field
+ Attachments.update({
+ _id: doc._id,
+ }, {
+ $unset: {
+ source: '',
+ },
+ });
+ }
+ });
+
+ Attachments.files.after.remove((userId, doc) => {
+ Activities.remove({
+ attachmentId: doc._id,
});
- }
+ });
+}