Changeset 1182 for trunk/grails-app/controllers

Timestamp:

Nov 22, 2010, 5:27:23 PM (11 years ago)

Author:

robert@…

Message:

Improved file upload fields so users can delete existing files and are able to access uploaded files (using a tag in the tag library). See ticket #17

File:

• trunk/grails-app/controllers/dbnp/studycapturing/FileController.groovy (modified) (4 diffs)

trunk/grails-app/controllers/dbnp/studycapturing/FileController.groovy

@@ -23 +23 @@
      */
     def get = {
-        // Check whether the file exists
-        def filename = params.id;
         def fileExists;
+
+                // Filename is not url decoded for some reason
+                def coder = new org.apache.commons.codec.net.URLCodec()
+                def filename = coder.decode(params.id)
+
+                // Security check to prevent accessing files in other directories
+                if( filename.contains( '..' ) ) {
+                        response.status = 500;
+                        render "Invalid filename given";
+                        return;
+                }
+                
         try {
             fileExists = fileService.fileExists( filename )
@@ -33 +43 @@
         if( !filename || !fileExists ) {
             response.status = 404;
-            render( "" );
+            render( "File not found" );
             return;
         }
@@ -42 +52 @@
 
         // Return the file
+                response.setHeader "Content-disposition", "attachment; filename=${filename}"
         response.outputStream << file.newInputStream()
+                response.outputStream.flush()
     }
 
@@ -73 +85 @@
         }
     }
+
+
 }