> On Oct. 9, 2012, 7:38 p.m., Yuri Zelikov wrote: > > ./src/org/waveprotocol/box/server/persistence/mongodb/MongoDbStore.java, > > line 187 > > <https://reviews.apache.org/r/7471/diff/1/?file=174643#file174643line187> > > > > I think the original idea of including the waveletName in the complete > > attachment id was in order to prevent security issue, when someone will > > request at attachment by crafting request with a wavelet that he has access > > to by changing attachment to the one from a wave that he can't access. > > Does the new approach handle this issue?
When AttachmentServlet or AttachmentInfoServlet handles request, it gets metainfo of attachment by its Id. It gets waveletName from metainfo and checks access permission to that wavelet for logged user. - Andrew ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/7471/#review12284 ----------------------------------------------------------- On Oct. 10, 2012, 8:13 a.m., Andrew Kaplanov wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/7471/ > ----------------------------------------------------------- > > (Updated Oct. 10, 2012, 8:13 a.m.) > > > Review request for wave and Yuri Zelikov. > > > Description > ------- > > -- Storage > > As in original version, attachments stored in the directory, defined in the > parameter attachment_store_directory of server.config. > But now all attachments with thumbnails and metadata stored in single > directory. > If you have attachments in your instance of Wiab, move files from > subdirectories in attachment_store_directory up and remove subdirectories. > > -- Thumbnails > > Image attachment shown in the wave as the reduced picture. > Not image attachment shown as icon, representing type of this attachment. > In this case icon is taken from the directory, defined in parameter > thumbnail_patterns_directory of server.config. > Icon must be in PNG format, and named as MIME type with replacing '/' to '_'. > For example thumbnail file for ZIP format (MIME type application/zip) must be > named application_zip. > > > Diffs > ----- > > ./build-proto.xml 1393974 > ./build.xml 1393974 > ./proto_src/org/waveprotocol/box/attachment/AttachmentProto.java > PRE-CREATION > ./server-config.xml 1393974 > ./src/org/waveprotocol/box/attachment/Attachment.gwt.xml PRE-CREATION > ./src/org/waveprotocol/box/attachment/attachment.proto PRE-CREATION > ./src/org/waveprotocol/box/server/CoreSettings.java 1393974 > ./src/org/waveprotocol/box/server/ServerMain.java 1393974 > ./src/org/waveprotocol/box/server/attachment/AttachmentService.java > PRE-CREATION > ./src/org/waveprotocol/box/server/persistence/AttachmentStore.java 1393974 > ./src/org/waveprotocol/box/server/persistence/AttachmentUtil.java 1393974 > ./src/org/waveprotocol/box/server/persistence/file/FileAttachmentStore.java > 1393974 > ./src/org/waveprotocol/box/server/persistence/mongodb/MongoDbStore.java > 1393974 > ./src/org/waveprotocol/box/server/rpc/AttachmentInfoServlet.java > PRE-CREATION > ./src/org/waveprotocol/box/server/rpc/AttachmentServlet.java 1393974 > ./src/org/waveprotocol/box/server/rpc/ProtoSerializer.java 1393974 > ./src/org/waveprotocol/box/webclient/WebClient.gwt.xml 1393974 > ./src/org/waveprotocol/wave/client/StageTwo.java 1393974 > ./src/org/waveprotocol/wave/client/doodad/attachment/AttachmentImpl.java > PRE-CREATION > > ./src/org/waveprotocol/wave/client/doodad/attachment/AttachmentManagerImpl.java > PRE-CREATION > > ./src/org/waveprotocol/wave/client/doodad/attachment/ImageThumbnailAttachmentHandler.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/ImageThumbnailNodeEventHandler.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/SimpleAttachmentManager.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/render/ImageThumbnailRenderer.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/render/ImageThumbnailWidget.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/render/ImageThumbnailWrapper.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/testing/FakeAttachment.java > 1393974 > > ./src/org/waveprotocol/wave/client/doodad/attachment/testing/FakeAttachmentsManager.java > 1393974 > ./src/org/waveprotocol/wave/client/wavepanel/impl/toolbar/EditToolbar.java > 1393974 > ./src/org/waveprotocol/wave/media/model/AttachmentDocumentWrapper.java > 1393974 > ./src/org/waveprotocol/wave/media/model/AttachmentV3.java 1393974 > ./src/org/waveprotocol/wave/media/model/ClientAttachment.java 1393974 > ./src/org/waveprotocol/wave/media/model/MutableClientAttachment.java > 1393974 > ./test/org/waveprotocol/box/server/persistence/AttachmentStoreTestBase.java > 1393974 > ./test/org/waveprotocol/wave/media/model/AttachmentDocumentWrapperTest.java > 1393974 > > Diff: https://reviews.apache.org/r/7471/diff/ > > > Testing > ------- > > > Thanks, > > Andrew Kaplanov > >
