Download endpoint authentication not finding owner of image

Question

Download endpoint authentication not finding owner of image

darylpdavies opened this issue 2 years ago · comments

I've been following this guide: https://shrinerb.com/docs/plugins/download_endpoint

Here is my controller:

# app/controllers/downloads_controller.rb (Rails) 
class DownloadsController < ApplicationController
  def image
    authorize :download
    set_rack_response ImageUploader.download_response(request.env)
  end
 
  private
 
  def set_rack_response((status, headers, body))
    self.status = status
    self.headers.merge!(headers)
    self.response_body = body
  end
end

And here is my authentication policy using pundit:

class DownloadPolicy < ApplicationPolicy
  def image?
    true
  end

  class Scope < Scope
    def resolve
      scope.where(user: post.user)
    end
  end
end

I have multitenancy working where images belong to posts, and users can only access their posts.

How can I tell the download_endpoint to only download images that belong to posts by the current user?

Janko Marohnić · Answer 1 · Wed Jun 22 2022 23:31:51 GMT+0800 (China Standard Time)

The download endpoint is intended for serving files encoded in the URL, regardless of permissions. To use authorization, you will have to drop a level lower, and use the rack_response plugin, which download_endpoint uses internally. For example:

class ImagesController < ApplicationController
  def download
    post = current_user.posts.find(params[:post_id])
    image = post.images.find(params[:id])
    set_rack_response image.to_rack_response(request.env)
  end
  # ...
end

Please ask usage questions on the discussion forum, GitHub issues should only be used for reporting bugs.