Merge pull request #3802 from manyfold3d/fix-signed-urls-in-single-user-mode

Fix signed urls (open in slicer) in single user mode

Author: Floppy

app/controllers/application_controller.rb

@@ -5,7 +5,7 @@ class ApplicationController < ActionController::Base
   after_action :verify_policy_scoped, only: :index, unless: :active_admin_controller?
   after_action :set_content_security_policy_header, if: -> { request.format.html? }
 
-  before_action :authenticate_user!, if: -> { !SiteSettings.multiuser_enabled? }
+  before_action :authenticate_user!, unless: -> { SiteSettings.multiuser_enabled? || has_signed_id? }
   around_action :switch_locale
   before_action :check_for_first_use
   before_action :show_security_alerts
@@ -45,6 +45,10 @@ def active_admin_controller?
 
   private
 
+  def has_signed_id?
+    params[:id] && ApplicationRecord.signed_id_verifier.valid_message?(params[:id])
+  end
+
   def img_src
     url = ENV.fetch "SITE_ICON", nil
     url ? URI.parse(url).host : nil

app/controllers/model_files_controller.rb

@@ -140,7 +140,7 @@ def get_model
 
   def get_file
     # Check for signed download URLs
-    if params[:id].length > 20
+    if has_signed_id?
       @file = @model.model_files.find_signed!(params[:id], purpose: "download")
       skip_authorization
     else

spec/requests/model_files_spec.rb

@@ -11,28 +11,30 @@
 #                        DELETE /models/:model_id/model_files/:id(.:format)       model_files#destroy
 
 RSpec.describe "Model Files" do
-  context "when signed out" do
-    context "when downloading via a signed ID", :multiuser do
-      before { create(:admin) }
+  [:multiuser, :singleuser].each do |mode|
+    context "when signed out in #{mode} mode", mode do
+      context "when downloading via a signed ID" do
+        before { create(:admin) }
 
-      let!(:file) { create(:model_file, filename: "test.jpg") }
+        let!(:file) { create(:model_file, filename: "test.jpg") }
 
-      it "succeeds with a valid ID" do
-        id = file.signed_id(expires_in: 1.minute, purpose: "download")
-        get "/models/#{file.model.to_param}/model_files/#{id}.jpg?download=true"
-        expect(response).to have_http_status(:success)
-      end
+        it "succeeds with a valid ID" do
+          id = file.signed_id(expires_in: 1.minute, purpose: "download")
+          get "/models/#{file.model.to_param}/model_files/#{id}.jpg?download=true"
+          expect(response).to have_http_status(:success)
+        end
 
-      it "fails if expired" do
-        id = file.signed_id(expires_at: 1.minute.ago, purpose: "download")
-        get "/models/#{file.model.to_param}/model_files/#{id}.jpg?download=true"
-        expect(response).to have_http_status(:not_found)
-      end
+        it "fails if expired" do
+          id = file.signed_id(expires_at: 1.minute.ago, purpose: "download")
+          get "/models/#{file.model.to_param}/model_files/#{id}.jpg?download=true"
+          expect(response).to have_http_status(:not_found)
+        end
 
-      it "fails if purpose doesn't match" do
-        id = file.signed_id(expires_in: 1.minute, purpose: "shenanigans")
-        get "/models/#{file.model.to_param}/model_files/#{id}.jpg?download=true"
-        expect(response).to have_http_status(:not_found)
+        it "fails if purpose doesn't match" do
+          id = file.signed_id(expires_in: 1.minute, purpose: "shenanigans")
+          get "/models/#{file.model.to_param}/model_files/#{id}.jpg?download=true"
+          expect(response).to have_http_status(:not_found)
+        end
       end
     end
   end