Use secure token to create attachment links

The link is public but protected by a secure token. This extends the activesupport Attachment model to automatically generate a token
2020-04-12 23:47:56 +02:00
parent ad317e917d
commit 73c184a4a0
5 changed files with 14 additions and 3 deletions
--- a/app/controllers/file_uploads_controller.rb
+++ b/app/controllers/file_uploads_controller.rb
@@ -2,7 +2,7 @@ class FileUploadsController < ApplicationController
  def show
    @form = Form.find_by!(token: params[:form_id])
    @submission = @form.submissions.find(params[:submission_id])
-    @file_upload = @submission.files_attachments.find(params[:id])
+    @file_upload = @submission.files_attachments.find_by!(token: params[:id])
    redirect_to url_for(@file_upload)
  end
 end
--- a/app/models/submission.rb
+++ b/app/models/submission.rb
@@ -37,7 +37,7 @@ class Submission < ApplicationRecord
      attachment = ActiveStorage::Attachment.new(record: self, name: 'files', blob: create_one.blob)
      attachment.save
      # return the URL that we use to show in the Spreadsheet
-      Rails.application.routes.url_helpers.file_upload_url(form_id: form, submission_id: self, id: attachment.id, host: DEFAULT_HOST)
+      Rails.application.routes.url_helpers.file_upload_url(form_id: form, submission_id: self, id: attachment.token, host: DEFAULT_HOST)
    else
      value.to_s
    end