Fix broken access control and refactor avatar upload

This commit moves the note folder from /public/uploads/note to /uploads/note and changes the uploader accordingly. Now it's no longer possible to avoid the access control by modifing the url. The Avatar upload has been refactored to use an own uploader as well to cleanly seperate the two upload types.
author: Hannes Rosenögger <Hannes.Rosenoegger@bva.bund.de> 2015-02-09 16:35:48 +0300
committer: Douwe Maan <douwe@gitlab.com> 2015-02-16 22:10:15 +0300
commit: 7d5f86f6cbd187e75a6ba164ad6bfd036977dd07 (patch)
tree: 43f9cf4d556b95f73481df0e6f258600b59f5a51 /app/uploaders/avatar_uploader.rb
parent: 87b413592499ddcf1149d9e2b580f76a13bf625c (diff)
1 files changed, 32 insertions, 0 deletions
diff --git a/app/uploaders/avatar_uploader.rb b/app/uploaders/avatar_uploader.rb
new file mode 100644
index 00000000000..7cad044555b
--- /dev/null
+++ b/app/uploaders/avatar_uploader.rb
@@ -0,0 +1,32 @@
+# encoding: utf-8
+
+class AvatarUploader < CarrierWave::Uploader::Base
+  storage :file
+
+  after :store, :reset_events_cache
+
+  def store_dir
+    "uploads/#{model.class.to_s.underscore}/#{mounted_as}/#{model.id}"
+  end
+
+  def image?
+    img_ext = %w(png jpg jpeg gif bmp tiff)
+    if file.respond_to?(:extension)
+      img_ext.include?(file.extension.downcase)
+    else
+      # Not all CarrierWave storages respond to :extension
+      ext = file.path.split('.').last.downcase
+      img_ext.include?(ext)
+    end
+  rescue
+    false
+  end
+
+  def file_storage?
+    self.class.storage == CarrierWave::Storage::File
+  end
+
+  def reset_events_cache(file)
+    model.reset_events_cache if model.is_a?(User)
+  end
+end
author	Hannes Rosenögger <Hannes.Rosenoegger@bva.bund.de>	2015-02-09 16:35:48 +0300
committer	Douwe Maan <douwe@gitlab.com>	2015-02-16 22:10:15 +0300
commit	7d5f86f6cbd187e75a6ba164ad6bfd036977dd07 (patch)
tree	43f9cf4d556b95f73481df0e6f258600b59f5a51 /app/uploaders/avatar_uploader.rb
parent	87b413592499ddcf1149d9e2b580f76a13bf625c (diff)