mobilizon.chapril.org-mobil.../lib/web/controllers/export_controller.ex

defmodule Mobilizon.Web.ExportController do
  @moduledoc """
  Controller to serve exported files
  """
  use Mobilizon.Web, :controller
  plug(:put_layout, false)
  action_fallback(Mobilizon.Web.FallbackController)
  alias Mobilizon.Export
  import Mobilizon.Service.Export.Participants.Common, only: [enabled_formats: 0, export_path: 1]
  import Mobilizon.Web.Gettext, only: [dgettext: 3]

  # sobelow_skip ["Traversal.SendDownload"]
  @spec export(Plug.Conn.t(), map) :: {:error, :not_found} | Plug.Conn.t()
  def export(conn, %{"format" => format, "file" => file}) do
    if format in enabled_formats() do
      case Export.get_export(file, "event_participants", format) do
        %Export{file_name: file_name, file_path: file_path} ->
          local_path = Path.join(export_path(format), file_path)
          # We're using encode: false to disable escaping the filename with URI.encode_www_form/1
          # but it may introduce an security issue if the event title wasn't properly sanitized
          # https://github.com/phoenixframework/phoenix/pull/3344
          # https://owasp.org/www-community/attacks/HTTP_Response_Splitting
          send_download(conn, {:file, local_path}, filename: file_name, encode: false)

        nil ->
          {:error, :not_found}
      end
    else
      {:error,
       dgettext("errors", "Export to format %{format} is not enabled on this instance",
         format: format
       )}
    end
  end
end
Export participants to different formats * CSV * PDF (requires Python dependency `weasyprint`) * ODS (requires Python dependency `pyexcel_ods3`) Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2021-10-04 18:59:41 +02:00			`defmodule Mobilizon.Web.ExportController do`
			`@moduledoc """`
			`Controller to serve exported files`
			`"""`
			`use Mobilizon.Web, :controller`
			`plug(:put_layout, false)`
			`action_fallback(Mobilizon.Web.FallbackController)`
			`alias Mobilizon.Export`
Fix export being outputted in the wrong directory in release mode Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2021-11-22 18:43:59 +01:00			`import Mobilizon.Service.Export.Participants.Common, only: [enabled_formats: 0, export_path: 1]`
Export participants to different formats * CSV * PDF (requires Python dependency `weasyprint`) * ODS (requires Python dependency `pyexcel_ods3`) Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2021-10-04 18:59:41 +02:00			`import Mobilizon.Web.Gettext, only: [dgettext: 3]`

			`# sobelow_skip ["Traversal.SendDownload"]`
			`@spec export(Plug.Conn.t(), map) :: {:error, :not_found} \| Plug.Conn.t()`
			`def export(conn, %{"format" => format, "file" => file}) do`
			`if format in enabled_formats() do`
			`case Export.get_export(file, "event_participants", format) do`
			`%Export{file_name: file_name, file_path: file_path} ->`
Fix export being outputted in the wrong directory in release mode Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2021-11-22 18:43:59 +01:00			`local_path = Path.join(export_path(format), file_path)`
Export participants to different formats * CSV * PDF (requires Python dependency `weasyprint`) * ODS (requires Python dependency `pyexcel_ods3`) Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2021-10-04 18:59:41 +02:00			`# We're using encode: false to disable escaping the filename with URI.encode_www_form/1`
			`# but it may introduce an security issue if the event title wasn't properly sanitized`
			`# https://github.com/phoenixframework/phoenix/pull/3344`
			`# https://owasp.org/www-community/attacks/HTTP_Response_Splitting`
			`send_download(conn, {:file, local_path}, filename: file_name, encode: false)`

			`nil ->`
			`{:error, :not_found}`
			`end`
			`else`
			`{:error,`
			`dgettext("errors", "Export to format %{format} is not enabled on this instance",`
			`format: format`
			`)}`
			`end`
			`end`
			`end`