-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
URLs for attachments are stored with expiry token at end of URL #252
Comments
select count() from spotlight_pages where content like '%X-Amz-Algorithm%'; Looks like there are still pages with these URLs. Can certainly do cleanup, but it looks like this might still be occurring. The newest created page with an attachment upload that matches this format is from earlier this month. Not sure yet what the user-facing impact is. |
Seems like this bug is coming back (or just never left?). From the user perspective, this doesn't seem to cause issues unless viewing an uploaded image with the "View Larger" button. I've fixed it for the uploaded images that are using the View Larger button here: https://exhibits.library.cornell.edu/blackprint-WIP/about/behind-the-scenes Fixed by ssh-ing into prod server and opened a rails console:
But there's still 141 pages to go: Also, is this always an issue for uploaded images? Seems like it was fixed previously, what changed since then? Needs more investigation. |
Background
URLs are being saved after attachment upload in the form...
They should be stored without the expiry token in the form...
With the expiry token removed, access is determined on the ACL associated with the file.
Existing Patch
PR #251 created a patch to remove everything from the question mark on to the end. This fixes the display of the images, but not the storing of the image URLs in the database.
To Reproduce
NOTE: The value of stored in spotlight_attachments table only includes the FILENAME. The full URL is stored in the content field of the page that uses the attachment which is in the spotlight_pages table.
Acceptance Requirements
This issue will be fixed when the expiry tokens are no longer saved on the attachment URL. Once fixed, any attachments that already have the expiry token saved as part of the URL will need to be manually adjusted to remove the expiry token.
Manual Repair
You can find all pages with a URL with the expiry token by searching via mysql with...
You can copy the content to an editor and remove everything from the ? to the end of the URL. To be able to use the sql update command to set the content, you will also have to escape the following characters.
'
with''
\
with\\
Related Work
PR #251 patch s3 access to remove expiry token from attachment URLs
The text was updated successfully, but these errors were encountered: