If there is an anonymous role to view_project, there are two attachable
instances (Grids::MyPage, Projects::Export) that allow anonymous
attaching of uncontainered attachments.
This has the consequence that anon users can upload uncontainered
attachments when this role is set.
This PR fixes this by preventing these classes from getting
uncontainered attachments, as they are only necessary for resources
created through the frontend (projects, work packages).
* Fix argument alignment since f08bea3467
The FactoryBot.* prefix has been removed in f08bea3467. Since then
rubocop complains about Layout/ArgumentAlignment. This commit fixes it.
* do not fix alignments for modules/*/spec yet
hoping to be under the limit of 65535 characters for reviewdog to report on rubocop errors
* Add setting for whitelist
* Make attachments API BaseServices compatible
* Add prepare service and contract
* Correctly pass the filename to the UploadedFile
* Add presence check to filename
* Fix expected validation message
* We no longer raise a multipart error when metadata is empty
* Fix filesize validation on prepared uploads
* Add parser error if invalid metadata json
* When attachment is not saved, use filename property
* Return correct error message on JSON parser erroro
* Fix specs
* Use attachment upload representer
* Fix direct uploads mocks with new service layer
* Lint
* Fix export job using attachment service
* Fix IFC controller using attachment prepare service
* Fix export job
* RenameRename params_getter to params_source
* Fix mail handler using attachment service
* Fix usage of attachment create service in documents
* Reuse shared examples for document attachment spec
* Fix stubbed attachment service in export job spec
* Use admin user in backup spec
* Fix export job for bim
* Fix attachment integration spec
* Fix issues_controller spec
* Make budget resource spec reuse common examples
* Fix attachment parsing representer spec
* Replace prepare part of attachment spec into separate service spec
* Clear cache for login spec
* Convert document create/update into services
* Budget services
* Allow options to be passed to property twin
* Remove setting author on budget initialize
* Replace meetings update with services
* Replace ifc models attachment handling with services
* Don't check uploader if changed by system
* Fix uploader being changed by system
* Replace wiki page attach_files with attachable services
* Replace avatar saving
* Replace snapshot attach_files
* Skip double validation when container present
* Set snapshot through attachment service
* Remove attach_files
* Validate content type in contract
* Enforce writing the content type without accepting user input
* Expect changed content_type
* Fix content of viewpoint image to get correct content type
* Fix tsv spec
* Add create contract spec
* Bypass whitelist in internal services when conflicting with user
* Fix expects in specs after whitelist bypass
* Render contract errors for wiki
* Add before_hook to bodied to allow to pre-authorize permissions
* Budget errors from contract
* Document errors from contract
ulferts