Change media attachments in moderated posts to not be accessible (#34872)

2025-06-12 10:53:02 +02:00 · 2025-06-12 10:53:02 +02:00 · 24d943fee0
commit 24d943fee0
parent d1fb957361
13 changed files with 140 additions and 111 deletions
--- a/app/services/update_media_attachments_permissions_service.rb
+++ b/app/services/update_media_attachments_permissions_service.rb
@ -0,0 +1,47 @@
+# frozen_string_literal: true
+
+class UpdateMediaAttachmentsPermissionsService < BaseService
+  def call(media_attachments_scope, direction)
+    # Only s3 and filesystem storage systems support modifying permissions
+    return unless %i(s3 filesystem).include?(Paperclip::Attachment.default_options[:storage])
+
+    # Prevent useless S3 calls if ACLs are disabled
+    return if Paperclip::Attachment.default_options[:storage] == :s3 && ENV['S3_PERMISSION'] == ''
+
+    attachment_names = MediaAttachment.attachment_definitions.keys
+
+    media_attachments_scope.find_each do |media_attachment|
+      attachment_names.each do |attachment_name|
+        attachment = media_attachment.public_send(attachment_name)
+        styles     = MediaAttachment::DEFAULT_STYLES | attachment.styles.keys
+
+        next if attachment.blank?
+
+        styles.each do |style|
+          case Paperclip::Attachment.default_options[:storage]
+          when :s3
+            acl = direction == :public ? Paperclip::Attachment.default_options[:s3_permissions] : 'private'
+
+            begin
+              attachment.s3_object(style).acl.put(acl: acl)
+            rescue Aws::S3::Errors::NoSuchKey
+              Rails.logger.warn "Tried to change acl on non-existent key #{attachment.s3_object(style).key}"
+            rescue Aws::S3::Errors::NotImplemented => e
+              Rails.logger.error "Error trying to change ACL on #{attachment.s3_object(style).key}: #{e.message}"
+            end
+          when :filesystem
+            mask = direction == :public ? 0o666 : 0o600
+
+            begin
+              FileUtils.chmod(mask & ~File.umask, attachment.path(style)) unless attachment.path(style).nil?
+            rescue Errno::ENOENT
+              Rails.logger.warn "Tried to change permission on non-existent file #{attachment.path(style)}"
+            end
+          end
+
+          CacheBusterWorker.perform_async(attachment.url(style)) if Rails.configuration.x.cache_buster.enabled
+        end
+      end
+    end
+  end
+end