filestack-rails
filestack-rails copied to clipboard
filestack
Security issue
Hi @gabifiolek , Please check the security option.
The error occurs when using the filestack_field tag with security option.
Of course I've already set in the application.rb file app_secret and security options.
Just got this error
undefined method `policy' for {"call"=>["pick", "read", "store", "convert", "remove"]}:Hash
Please check for this issue.
Hello, @joaopedre ! Thank you for reaching me out.
Please let me know which filestack-rails gem version do you use, and what did you setup in config.filestack_rails.version in the configuration file.
I've used filestack-rails 5.2.2 and did not set the version in the configuration file.
@joaopedre
Please confirm if your application.rb has provided security as following Hash
config.filestack_rails.api_key = 'APIKEY'
config.filestack_rails.app_secret = 'APP_SECRET'
config.filestack_rails.security = {"call"=>["pick", "read", "store", "convert", "remove"]}
or
config.filestack_rails.security = {call: %w[pick read store convert remove]}
Let me know, because I can't reproduce it.
Rails.application.config.filestack_rails.api_key = ENV['FILESTACK_API_KEY'] Rails.application.config.filestack_rails.client_name = ENV['FILESTACK_CLIENT_NAME'] if Rails.env.production? Rails.application.config.filestack_rails.app_secret = ENV['FILESTACK_API_SECRET'] Rails.application.config.filestack_rails.security = {'call' => %w[pick read store convert remove]} end
sets like this
On Wed, Mar 25, 2020 at 5:16 AM Gabi Fijalkowska [email protected] wrote:
@joaopedre https://github.com/joaopedre Please confirm if your application.rb has provided security as following Hash config.filestack_rails.api_key = 'APIKEY' config.filestack_rails.app_secret = 'APP_SECRET'
config.filestack_rails.security = {"call"=>["pick", "read", "store", "convert", "remove"]} or config.filestack_rails.security = {call: %w[pick read store convert remove]}
Let me know, because I can't reproduce it.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/filestack/filestack-rails/issues/228#issuecomment-603508929, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAW6RS3SVXSG35MA32BKJGDRJEPJFANCNFSM4LQSZ6HQ .
@joaopedre I've setup my application.rb file with the same security hash, but I don't see the error.
Can you check if config.filestack_rails.security = {call: %w[pick read store convert remove]} returns the same error. Let me also know what versions of Ruby, and Rails do you use.
@joaopedre You can also contact our support ([email protected]) and share your APIKEY and attach this issue. Then, we can check your application, and secret and security options.
@joaopedre @gabifiolek I downgraded to 4.0.1 and it works well (tested in Rails 5.2 and 6.0.2)
4.0.4 is the latest one that works. From then on, security is a simple ruby hash. Also, it's not possible to upload SVG files using the filepicker AFTER security is enabled. Please let me know if this is a known issue. Thanks!
I'm also having the same issue. After taking a look at the code it's obvious why the problem is happening, but I dont know why the code was changed.
If you take a look at lib/filestack-rails/configuration.rb in v4.0.4:
https://github.com/filestack/filestack-rails/blob/4.0.4/lib/filestack_rails/configuration.rb#L25
@security is set to an instance of FilestackSecurity which has method #policy, like we're looking for.
If you take a look at lib/filestack-rails/configuration.rb in v4.0.5:
https://github.com/filestack/filestack-rails/blob/4.0.5/lib/filestack_rails/configuration.rb#L27
@security is set to whatever is passed into the method, defaulting to a Hash. Given that the README suggests setting it to a hash:
config.filestack_rails.security = {'call' => %w[pick store read convert] }
Here's the commit with the breaking change: https://github.com/filestack/filestack-rails/commit/f39bd24bea3aa36592149b8a1cde25ad68779c13#diff-8c72e16fad1744738f63d517983cf69c
as you can see, @joaopedre left a comment there as well. This just seems broken, or the README is wrong.
Okay I've come to the conclusion that I don't think it was clear what the OP was trying to achieve in the first place (call FilestackSecurity#policy?), and that there isn't technically an issue or bug - the public API of FilestackConfiguration just had breaking changes between 4.0.4 and 4.0.5.
FilestackSecurity#policy is still a method that works, but FilestackConfiguration#security no longer returns an instance of FilestackSecurity, just a Hash. This seems deliberate because the ApplicationHelper still uses it here.
What was missing from the OP is why they were trying to call Rails.application.config.filestack_rails.security.policy. In my case, I use it in a background job for deleting assets. I've copied the method from the above linked class:
def security
security_options = ::Rails.application.config.filestack_rails.security
app_secret = ::Rails.application.config.filestack_rails.app_secret
return nil unless security_options
FilestackSecurity.new(app_secret, options: security_options)
end
Using this method and calling security.policy instead works.
puts config.filestack_rails.security.policy
puts config.filestack_rails.security.signature
This command doesn't work. I'd like to change the config name to config.security_option instead of config.security.
@taylorthurlow Thank you for letting me know, I'll take a look on that as soon as possible.
Thanks
On Tue, Apr 21, 2020 at 10:29 PM Gabi Fijalkowska [email protected] wrote:
@taylorthurlow https://github.com/taylorthurlow Thank you for letting me know, I'll take a look on that as soon as possible.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/filestack/filestack-rails/issues/228#issuecomment-617216139, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAW6RSZM6GG4NXE6VOKZHNTRNWUVRANCNFSM4LQSZ6HQ .
@joaopedre Many months ago I changed it because some of our clients requested to generate security per request. The security stopped working for him just in 1 hour after deployment. Policy and signature key pair was generated once, in initializers in Rails application. When the server started, it did not change in next requests.
That's why this change broke your code, because I moved the security generation to application_helper. I'll figure it out how to handle both cases asap.