Sha256: 73880218fada645ec460393646a3ba213af78f5540a07260db480021b196e682

Contents?: true

Size: 1.04 KB

Versions: 2

Compression:

Stored size: 1.04 KB

Contents

module AdminData
  class PublicController < ApplicationController

    def serve

      # validate filename with a white list
      unless self.class.admin_data_assets.include? params[:file]
        render :nothing => true, :status => 404 and return
      end

      opts = {:text => File.read(File.join(AdminData.public_dir,params[:file])), :cache => true}

      case params[:file]
      when /\.css$/i then opts[:content_type] = "text/css"
      when /\.js$/i then opts[:content_type] = "text/javascript"
      when /\.png$/i then opts[:content_type] = "image/png"
      else
        render :nothing => true, :status => 404 and return
      end

      render opts
    end

    protected

    # Cached list of all assets provided by admin_data
    # It is used to ensure security in the serve method
    def self.admin_data_assets
      @admin_data_assets ||= (
        Dir.glob(File.join(AdminData.public_dir, '**', '*')).map do |path|
           # we want only relative paths
           path.split(AdminData.public_dir, 2).last
        end
      )
    end
  end
end

Version data entries

2 entries across 2 versions & 1 rubygems

Version Path
admin_data-1.1.4 app/controllers/admin_data/public_controller.rb
admin_data-1.1.1 app/controllers/admin_data/public_controller.rb