Download endpoint authentication not finding owner of image
darylpdavies opened this issue · comments
I've been following this guide: https://shrinerb.com/docs/plugins/download_endpoint
Here is my controller:
# app/controllers/downloads_controller.rb (Rails)
class DownloadsController < ApplicationController
def image
authorize :download
set_rack_response ImageUploader.download_response(request.env)
end
private
def set_rack_response((status, headers, body))
self.status = status
self.headers.merge!(headers)
self.response_body = body
end
end
And here is my authentication policy using pundit:
class DownloadPolicy < ApplicationPolicy
def image?
true
end
class Scope < Scope
def resolve
scope.where(user: post.user)
end
end
end
I have multitenancy working where images belong to posts, and users can only access their posts.
How can I tell the download_endpoint to only download images that belong to posts by the current user?
The download endpoint is intended for serving files encoded in the URL, regardless of permissions. To use authorization, you will have to drop a level lower, and use the rack_response
plugin, which download_endpoint
uses internally. For example:
class ImagesController < ApplicationController
def download
post = current_user.posts.find(params[:post_id])
image = post.images.find(params[:id])
set_rack_response image.to_rack_response(request.env)
end
# ...
end
Please ask usage questions on the discussion forum, GitHub issues should only be used for reporting bugs.