feat: common attachment endpoint follow-up changes (#7826)

app/controllers/api/v1/accounts/articles_controller.rb

@@ -1,7 +1,7 @@
 class Api::V1::Accounts::ArticlesController < Api::V1::Accounts::BaseController
   before_action :portal
   before_action :check_authorization
-  before_action :fetch_article, except: [:index, :create, :attach_file, :reorder]
+  before_action :fetch_article, except: [:index, :create, :reorder]
   before_action :set_current_page, only: [:index]
 
   def index
@@ -36,17 +36,6 @@ class Api::V1::Accounts::ArticlesController < Api::V1::Accounts::BaseController
     head :ok
   end
 
-  def attach_file
-    file_blob = ActiveStorage::Blob.create_and_upload!(
-      key: nil,
-      io: params[:background_image].tempfile,
-      filename: params[:background_image].original_filename,
-      content_type: params[:background_image].content_type
-    )
-    file_blob.save!
-    render json: { file_url: url_for(file_blob) }
-  end
-
   def reorder
     Article.update_positions(params[:positions_hash])
     head :ok

app/controllers/api/v1/accounts/automation_rules_controller.rb

@@ -20,16 +20,6 @@ class Api::V1::Accounts::AutomationRulesController < Api::V1::Accounts::BaseCont
     @automation_rule
   end
 
-  def attach_file
-    file_blob = ActiveStorage::Blob.create_and_upload!(
-      key: nil,
-      io: params[:attachment].tempfile,
-      filename: params[:attachment].original_filename,
-      content_type: params[:attachment].content_type
-    )
-    render json: { blob_key: file_blob.key, blob_id: file_blob.id }
-  end
-
   def update
     ActiveRecord::Base.transaction do
       automation_rule_update

app/controllers/api/v1/accounts/macros_controller.rb

@@ -39,16 +39,6 @@ class Api::V1::Accounts::MacrosController < Api::V1::Accounts::BaseController
     head :ok
   end
 
-  def attach_file
-    file_blob = ActiveStorage::Blob.create_and_upload!(
-      key: nil,
-      io: params[:attachment].tempfile,
-      filename: params[:attachment].original_filename,
-      content_type: params[:attachment].content_type
-    )
-    render json: { blob_key: file_blob.key, blob_id: file_blob.id }
-  end
-
   def execute
     ::MacrosExecutionJob.perform_later(@macro, conversation_ids: params[:conversation_ids], user: Current.user)
 

app/controllers/api/v1/accounts/portals_controller.rb

@@ -1,7 +1,7 @@
 class Api::V1::Accounts::PortalsController < Api::V1::Accounts::BaseController
   include ::FileTypeHelper
 
-  before_action :fetch_portal, except: [:index, :create, :attach_file]
+  before_action :fetch_portal, except: [:index, :create]
   before_action :check_authorization
   before_action :set_current_page, only: [:index]
 
@@ -53,16 +53,6 @@ class Api::V1::Accounts::PortalsController < Api::V1::Accounts::BaseController
     @portal.logo.attach(blob)
   end
 
-  def attach_file
-    file_blob = ActiveStorage::Blob.create_and_upload!(
-      key: nil,
-      io: params[:logo].tempfile,
-      filename: params[:logo].original_filename,
-      content_type: params[:logo].content_type
-    )
-    render json: { blob_key: file_blob.key, blob_id: file_blob.id }
-  end
-
   private
 
   def fetch_portal

app/policies/article_policy.rb

@@ -23,10 +23,6 @@ class ArticlePolicy < ApplicationPolicy
     @account_user.administrator? || portal_member?
   end
 
-  def attach_file?
-    @account_user.administrator? || portal_member?
-  end
-
   def reorder?
     @account_user.administrator? || portal_member?
   end

app/policies/automation_rule_policy.rb

@@ -7,10 +7,6 @@ class AutomationRulePolicy < ApplicationPolicy
     @account_user.administrator?
   end
 
-  def attach_file?
-    @account_user.administrator?
-  end
-
   def show?
     @account_user.administrator?
   end

app/policies/macro_policy.rb

@@ -23,10 +23,6 @@ class MacroPolicy < ApplicationPolicy
     @record.global? || author?
   end
 
-  def attach_file?
-    true
-  end
-
   private
 
   def author?

app/policies/portal_policy.rb

@@ -27,10 +27,6 @@ class PortalPolicy < ApplicationPolicy
     @account_user.administrator?
   end
 
-  def attach_file?
-    @account_user.administrator?
-  end
-
   private
 
   def portal_member?

config/initializers/rack_attack.rb

@@ -137,6 +137,11 @@ class Rack::Attack
     match_data[:account_id] if match_data.present?
   end
 
+  ## Prevent Abuse of attachment upload APIs ##
+  throttle('/api/v1/upload', limit: 60, period: 1.hour) do |req|
+    req.ip if req.path_without_extentions == '/api/v1/upload' && req.post?
+  end
+
   ## ----------------------------------------------- ##
 end
 

config/routes.rb

@@ -58,11 +58,9 @@ Rails.application.routes.draw do
           resources :canned_responses, only: [:index, :create, :update, :destroy]
           resources :automation_rules, only: [:index, :create, :show, :update, :destroy] do
             post :clone
-            post :attach_file, on: :collection
           end
           resources :macros, only: [:index, :create, :show, :update, :destroy] do
             post :execute, on: :member
-            post :attach_file, on: :collection
           end
           resources :sla_policies, only: [:index, :create, :show, :update, :destroy]
           resources :campaigns, only: [:index, :create, :show, :update, :destroy]
@@ -214,10 +212,8 @@ Rails.application.routes.draw do
               patch :archive
               put :add_members
             end
-            post :attach_file, on: :collection
             resources :categories
             resources :articles do
-              post :attach_file, on: :collection
               post :reorder, on: :collection
             end
           end

spec/controllers/api/v1/accounts/articles_controller_spec.rb

@@ -259,23 +259,5 @@ RSpec.describe 'Api::V1::Accounts::Articles', type: :request do
         expect(json_response['payload']['id']).to eq(root_article.id)
       end
     end
-
-    describe 'Upload an image' do
-      let(:article) { create(:article, account_id: account.id, category_id: category.id, portal_id: portal.id, author_id: agent.id) }
-
-      it 'update the article with an image' do
-        file = fixture_file_upload(Rails.root.join('spec/assets/avatar.png'), 'image/png')
-
-        post "/api/v1/accounts/#{account.id}/portals/#{article.portal.slug}/articles/attach_file",
-             headers: agent.create_new_auth_token,
-             params: { background_image: file }
-
-        expect(response).to have_http_status(:success)
-
-        blob = response.parsed_body
-
-        expect(blob['file_url']).to be_present
-      end
-    end
   end
 end

spec/controllers/api/v1/accounts/automation_rules_controller_spec.rb

@@ -128,7 +128,7 @@ RSpec.describe 'Api::V1::Accounts::AutomationRulesController', type: :request do
 
         expect(account.automation_rules.count).to eq(0)
 
-        post "/api/v1/accounts/#{account.id}/automation_rules/attach_file",
+        post '/api/v1/upload',
              headers: administrator.create_new_auth_token,
              params: { attachment: file }
 
@@ -163,13 +163,13 @@ RSpec.describe 'Api::V1::Accounts::AutomationRulesController', type: :request do
         file_1 = fixture_file_upload(Rails.root.join('spec/assets/avatar.png'), 'image/png')
         file_2 = fixture_file_upload(Rails.root.join('spec/assets/sample.png'), 'image/png')
 
-        post "/api/v1/accounts/#{account.id}/automation_rules/attach_file",
+        post '/api/v1/upload',
              headers: administrator.create_new_auth_token,
              params: { attachment: file_1 }
 
         blob_1 = response.parsed_body
 
-        post "/api/v1/accounts/#{account.id}/automation_rules/attach_file",
+        post '/api/v1/upload',
              headers: administrator.create_new_auth_token,
              params: { attachment: file_2 }
 

spec/controllers/api/v1/accounts/macros_controller_spec.rb

@@ -129,7 +129,7 @@ RSpec.describe 'Api::V1::Accounts::MacrosController', type: :request do
       it 'Saves file in the macros actions to send an attachments' do
         file = fixture_file_upload(Rails.root.join('spec/assets/avatar.png'), 'image/png')
 
-        post "/api/v1/accounts/#{account.id}/macros/attach_file",
+        post '/api/v1/upload',
              headers: administrator.create_new_auth_token,
              params: { attachment: file }
 

spec/controllers/api/v1/accounts/portals_controller_spec.rb

@@ -210,33 +210,4 @@ RSpec.describe 'Api::V1::Accounts::Portals', type: :request do
       end
     end
   end
-
-  describe 'POST /api/v1/accounts/{account.id}/portals/attach_file' do
-    it 'update the portal with a logo' do
-      file = fixture_file_upload(Rails.root.join('spec/assets/avatar.png'), 'image/png')
-
-      post "/api/v1/accounts/#{account.id}/portals/attach_file",
-           headers: admin.create_new_auth_token,
-           params: { logo: file }
-
-      expect(response).to have_http_status(:success)
-
-      blob = response.parsed_body
-
-      expect(blob['blob_key']).to be_present
-      expect(blob['blob_id']).to be_present
-
-      params = { blob_id: blob['blob_id'] }
-
-      expect(portal.logo.attachment).not_to be_present
-
-      patch "/api/v1/accounts/#{account.id}/portals/#{portal.slug}",
-            headers: admin.create_new_auth_token,
-            params: params
-      portal.reload
-
-      expect(portal.logo.presence).to be_truthy
-      expect(portal.logo.attachment).to be_present
-    end
-  end
 end