36 lines
1.4 KiB
Elixir
36 lines
1.4 KiB
Elixir
defmodule Mobilizon.Web.ExportController do
|
|
@moduledoc """
|
|
Controller to serve exported files
|
|
"""
|
|
use Mobilizon.Web, :controller
|
|
plug(:put_layout, false)
|
|
action_fallback(Mobilizon.Web.FallbackController)
|
|
alias Mobilizon.Export
|
|
import Mobilizon.Service.Export.Participants.Common, only: [enabled_formats: 0]
|
|
import Mobilizon.Web.Gettext, only: [dgettext: 3]
|
|
|
|
# sobelow_skip ["Traversal.SendDownload"]
|
|
@spec export(Plug.Conn.t(), map) :: {:error, :not_found} | Plug.Conn.t()
|
|
def export(conn, %{"format" => format, "file" => file}) do
|
|
if format in enabled_formats() do
|
|
case Export.get_export(file, "event_participants", format) do
|
|
%Export{file_name: file_name, file_path: file_path} ->
|
|
local_path = "uploads/exports/#{format}/#{file_path}"
|
|
# We're using encode: false to disable escaping the filename with URI.encode_www_form/1
|
|
# but it may introduce an security issue if the event title wasn't properly sanitized
|
|
# https://github.com/phoenixframework/phoenix/pull/3344
|
|
# https://owasp.org/www-community/attacks/HTTP_Response_Splitting
|
|
send_download(conn, {:file, local_path}, filename: file_name, encode: false)
|
|
|
|
nil ->
|
|
{:error, :not_found}
|
|
end
|
|
else
|
|
{:error,
|
|
dgettext("errors", "Export to format %{format} is not enabled on this instance",
|
|
format: format
|
|
)}
|
|
end
|
|
end
|
|
end
|