From a2850d1b6b105e893d6264a32490fca2272bd21f Mon Sep 17 00:00:00 2001 From: MontrealSergiy Date: Tue, 1 Apr 2025 19:01:09 -0400 Subject: [PATCH 01/11] confirm trust of file --- .../userfiles/html_file/views/_html.html.erb | 24 +++++++++--- BrainPortal/public/javascripts/cbrain.js | 39 +++++++++++++++++++ 2 files changed, 58 insertions(+), 5 deletions(-) diff --git a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb index 37a386454..61c86e896 100644 --- a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb +++ b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb @@ -36,15 +36,29 @@ ) %> <% end %>
-The HTML document previewed in the frame below is not part of CBRAIN. You should not open it or +The HTML document previewed in the frame below is not part of CBRAIN. You should not browse or interact with it unless you fully trust it. Forms and external links are disabled.
- + + diff --git a/BrainPortal/public/javascripts/cbrain.js b/BrainPortal/public/javascripts/cbrain.js index bba95fcd8..8cc0b2194 100644 --- a/BrainPortal/public/javascripts/cbrain.js +++ b/BrainPortal/public/javascripts/cbrain.js @@ -759,6 +759,45 @@ form.submit(); }); + $(document).delegate(".trust-file-btn", "click", function (event) { + let trustBtn = $("body").find(".trust-file-btn"); + let iframe = $("body").find('.html-viewer'); + let iframeContainer = $("body").find('.iframe-container'); + iframe.attr('src', iframe.data('frame-url')); + trustBtn.hide(); + iframeContainer.show(); + + }); + + // confirm button for html viewer iframe + $('.trust-file-btn').each(function() { + let trustBtn = $(this); + let fileIds = trustBtn.data('ids'); + let iframe = trustBtn.closest('iframe').find('.html-viewer'); + let iframeContainer = trustBtn.closest('div').find('.iframe-container'); + + // If there's a valid fileId, proceed + if (fileIds) { + const trustKey = "trusted_file_" + fileIds; + const fileUrl = iframe.data('frame-url'); + + // Check if trust is already saved + if (localStorage.getItem(trustKey) === "true") { + iframe.attr('src', fileUrl); + trustBtn.hide(); + iframeContainer.show(); + } + + // Click event for trusting the file + trustBtn.click(function() { + localStorage.setItem(trustKey, "true"); // Save trust for file id todo expire in 3 h? + iframe.attr('src', fileUrl); + $(this).hide(); + iframeContainer.show(); + }); + } + }); + //html_tool_tip_code based on xstooltip provided by //http://www.texsoft.it/index.php?%20m=sw.js.htmltooltip&c=software&l=it From 2ad06d42643660017f08be5c1caf38d219d3726a Mon Sep 17 00:00:00 2001 From: MontrealSergiy Date: Wed, 2 Apr 2025 09:47:10 -0400 Subject: [PATCH 02/11] mark redundant lines --- .../userfiles/html_file/views/_html.html.erb | 1 + BrainPortal/public/javascripts/cbrain.js | 5 +++-- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb index 61c86e896..48a829e29 100644 --- a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb +++ b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb @@ -53,6 +53,7 @@ interact with it unless you fully trust it. Forms and external links are d <% if params[:new_tab].present? %> src="<%= stream_userfile_path(@userfile, :disposition => 'inline') %>" <% end %> + <%# todo drop caching trust with ids? %> data-ids="<%= "#{@userfile.id}-#{@userfile.user.id}" %>" class="full-frame html-viewer" <% if params[:new_tab].present? # workaround to wide frame in a new tab %> diff --git a/BrainPortal/public/javascripts/cbrain.js b/BrainPortal/public/javascripts/cbrain.js index 8cc0b2194..44f06d246 100644 --- a/BrainPortal/public/javascripts/cbrain.js +++ b/BrainPortal/public/javascripts/cbrain.js @@ -769,7 +769,8 @@ }); - // confirm button for html viewer iframe + // todo delete this one or preceditng confirm button for html viewer iframe + // this one caches trust info in local storage $('.trust-file-btn').each(function() { let trustBtn = $(this); let fileIds = trustBtn.data('ids'); @@ -790,7 +791,7 @@ // Click event for trusting the file trustBtn.click(function() { - localStorage.setItem(trustKey, "true"); // Save trust for file id todo expire in 3 h? + localStorage.setItem(trustKey, "true"); // Save trust for file/owner id todo expire in 3 h? iframe.attr('src', fileUrl); $(this).hide(); iframeContainer.show(); From 28182af0aa32f933a0fa65c0b14eb7d7154fdbaa Mon Sep 17 00:00:00 2001 From: MontrealSergiy Date: Tue, 8 Apr 2025 14:32:39 -0400 Subject: [PATCH 03/11] minor html improvement --- .../userfiles/html_file/views/_html.html.erb | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb index 48a829e29..50a293d72 100644 --- a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb +++ b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb @@ -40,19 +40,24 @@ The HTML document previewed in the frame below is not part of CBRAIN. You s interact with it unless you fully trust it. Forms and external links are disabled.
-<% if params[:new_tab].blank? %> -
<%= link_to 'Open in the frame below', "#" %>
+<%# -- for other user's files ask confirmation %> +<% if params[:new_tab].blank? && current_user.id != @userfile.user_id %> +
<%= link_to 'Browse this file in the frame below', "#iframe-container" %>
<% end %>
- -
+
From 9bc4fa92f373d48c42dc64a3efe6fddddd4d6e17 Mon Sep 17 00:00:00 2001 From: MontrealSergiy Date: Fri, 25 Apr 2025 14:31:36 -0400 Subject: [PATCH 10/11] verbiage in comments ... --- .../app/controllers/userfiles_controller.rb | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/BrainPortal/app/controllers/userfiles_controller.rb b/BrainPortal/app/controllers/userfiles_controller.rb index 5a21e1ea2..2d7c397ec 100644 --- a/BrainPortal/app/controllers/userfiles_controller.rb +++ b/BrainPortal/app/controllers/userfiles_controller.rb @@ -440,14 +440,14 @@ def show #:nodoc: end end - # established trust in all the other files of a creator of this file for the duration of the session - # used to render html userfiles or collection elements + # establishes trust in all the files of a creator of this file for the duration of the session + # This method is used to render html userfiles or collection elements def trust_creator @userfile = Userfile.find_accessible_by_user(params[:id], current_user, :access_requested => :read) cbrain_session[:trust_user_files] ||= [] unless cbrain_session[:trust_user_files].include?(@userfile.user_id) - ids = cbrain_session[:trust_user_files] # in place modification does not work well with session - ids.shift if ids.length > 99 # limit to 100 ids, session storage is limited + ids = cbrain_session[:trust_user_files] # in place modification does not work well within a session + ids.shift if ids.length > 99 # cap to 100 ids, session storage is limited cbrain_session[:trust_userfiles] = ids << @userfile.user_id end respond_to do |format| @@ -455,17 +455,15 @@ def trust_creator end end - # established trust in a file or all the other files of a collection for the duration of the session - # used to render html userfiles or collection elements + # establishes trust in a file or all the other files of a collection for the duration of the session + # This method is used to render html userfiles or collection elements def trust - @userfile = Userfile.find_accessible_by_user(params[:id], current_user, :access_requested => :read) cbrain_session[:trust_userfiles] ||= [] unless cbrain_session[:trust_userfiles].include?(@userfile.id) - ids = cbrain_session[:trust_userfiles] - ids << @userfile.id + ids = cbrain_session[:trust_userfiles] # in place modification does not work well within a session ids.shift if ids.length > 199 # limit to 200 file ids, session size is limited - cbrain_session[:trust_userfiles] = ids # in place does not work well within a session + cbrain_session[:trust_userfiles] = ids << @userfile.id end respond_to do |format| format.js { render js: "" } # no need to do anything as of now From d1cccbe8f25b3271bbc5d132324b879d1d1557f6 Mon Sep 17 00:00:00 2001 From: MontrealSergiy Date: Mon, 12 May 2025 10:52:19 -0400 Subject: [PATCH 11/11] remove a duplicate line #1505 --- .../userfiles/html_file/views/_html.html.erb | 42 +++++++++---------- 1 file changed, 21 insertions(+), 21 deletions(-) diff --git a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb index fa8e38585..4224ebffb 100644 --- a/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb +++ b/BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb @@ -30,14 +30,15 @@ This HTML document is not part of CBRAIN. You should not v <%= link_to( "Open in a separate tab", display_userfile_url(@userfile, - :viewer => :html, - :content_viewer => "on", - :file_name => @userfile.name, - :viewer_userfile_class => "HtmlFile", - :new_tab => "yes" + :viewer => :html, + :content_viewer => "on", + :file_name => @userfile.name, + :viewer_userfile_class => "HtmlFile", + :new_tab => "yes" ), :target => "_blank" - ) %> + ) + %> <% end %>
@@ -67,22 +68,21 @@ This HTML document is not part of CBRAIN. You should not v
- hidden - <% end %> - > + <% if hide_frame %> + hidden + <% end %> +>