mirror of
https://github.com/basecamp/once-campfire.git
synced 2026-07-12 18:59:09 +09:00
ed5a172871
ActiveStorage's direct-upload endpoints ship unauthenticated by Rails default: ActiveStorage::DirectUploadsController and DiskController inherit from ActionController::Base, so they bypass the app's Authentication concern. That leaves the write path open — anyone could mint blob records and PUT bytes to local disk storage. Campfire never uses direct upload for legitimate attachments. Those flow through MessagesController#create (already authenticated), and Trix file drops are disabled in the composer. Gating the write path is therefore pure defense-in-depth with no functional cost. Require an authenticated session on the two write actions (DirectUploadsController#create and DiskController#update) by including the existing Authentication concern. Blob serving stays public — DiskController#show keeps its auth skip, and the Blobs/Representations controllers are untouched — so message attachments and the account logo keep loading. Because these controllers live in ActiveStorage::Engine and only see the engine's url helpers, also include the application route helpers so the concern can redirect to new_session_url on failure (302, write blocked).