const localFSStore = process.env.ATTACHMENTS_STORE_PATH; const storeName = 'attachments'; const defaultStoreOptions = { beforeWrite: fileObj => { if (!fileObj.isImage()) { return { type: 'application/octet-stream', }; } return {}; }, }; const Store = localFSStore ? new FS.Store.FileSystem(storeName, { path: localFSStore, ...defaultStoreOptions, }) : new FS.Store.GridFS(storeName, { // XXX Add a new store for cover thumbnails so we don't load big images in // the general board view // If the uploaded document is not an image we need to enforce browser // download instead of execution. This is particularly important for HTML // files that the browser will just execute if we don't serve them with the // appropriate `application/octet-stream` MIME header which can lead to user // data leaks. I imagine other formats (like PDF) can also be attack vectors. // See https://github.com/wekan/wekan/issues/99 // XXX Should we use `beforeWrite` option of CollectionFS instead of // collection-hooks? // We should use `beforeWrite`. ...defaultStoreOptions, }); Attachments = new FS.Collection('attachments', { stores: [Store], }); if (Meteor.isServer) { Meteor.startup(() => { Attachments.files._ensureIndex({ cardId: 1 }); }); Attachments.allow({ insert(userId, doc) { return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); }, update(userId, doc) { return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); }, remove(userId, doc) { return allowIsBoardMember(userId, Boards.findOne(doc.boardId)); }, // We authorize the attachment download either: // - if the board is public, everyone (even unconnected) can download it // - if the board is private, only board members can download it download(userId, doc) { const board = Boards.findOne(doc.boardId); if (board.isPublic()) { return true; } else { return board.hasMember(userId); } }, fetch: ['boardId'], }); } // XXX Enforce a schema for the Attachments CollectionFS if (Meteor.isServer) { Attachments.files.after.insert((userId, doc) => { // If the attachment doesn't have a source field // or its source is different than import if (!doc.source || doc.source !== 'import') { // Add activity about adding the attachment Activities.insert({ userId, type: 'card', activityType: 'addAttachment', attachmentId: doc._id, boardId: doc.boardId, cardId: doc.cardId, listId: doc.listId, swimlaneId: doc.swimlaneId, }); } else { // Don't add activity about adding the attachment as the activity // be imported and delete source field Attachments.update( { _id: doc._id, }, { $unset: { source: '', }, }, ); } }); Attachments.files.before.remove((userId, doc) => { Activities.insert({ userId, type: 'card', activityType: 'deleteAttachment', attachmentId: doc._id, boardId: doc.boardId, cardId: doc.cardId, listId: doc.listId, swimlaneId: doc.swimlaneId, }); }); Attachments.files.after.remove((userId, doc) => { Activities.remove({ attachmentId: doc._id, }); }); } export default Attachments;