VRFS-2232 VRFS-2233 handle notification files so they only can be viewed if can_join?; otherwise throw 403 and handle appropriately

web/app/assets/javascripts/jam_rest.js

@@ -68,6 +68,13 @@
           });
         }
 
+        function getMusicNotation(query) {
+          return $.ajax({
+            type: "GET",
+            url: "/api/music_notations/"+query
+          });
+        }
+
         function legacyJoinSession(options) {
           var sessionId = options["session_id"];
           delete options["session_id"];
@@ -1223,6 +1230,7 @@
         this.legacyCreateSession = legacyCreateSession;
         this.createScheduledSession = createScheduledSession;
         this.uploadMusicNotations = uploadMusicNotations;
+        this.getMusicNotation = getMusicNotation;
         this.legacyJoinSession = legacyJoinSession;
         this.joinSession = joinSession;
         this.cancelSession = cancelSession;

web/app/assets/javascripts/sessionList.js

@@ -122,6 +122,18 @@
       $('a.more.slots', $parentRow).click(toggleSlots);
       $('a.more.rsvps', $parentRow).click(toggleRsvps);
 
+        $('.notation-link').click(function(evt) {
+            rest.getMusicNotation($(this).attr('data-notation-id'))
+                .done(function(result) {
+                    window.open(result, '_blank');
+                })
+                .fail(function(xhr, textStatus, errorMessage) {
+                    if (xhr.status === 403) {
+                        app.ajaxError(xhr, textStatus, errorMessage);
+                    }
+                });
+        });
+
       if (showJoinLink) {
         // wire up the Join Link to the T&Cs dialog
         
@@ -429,8 +441,9 @@
     function createNotationFile(notation) {
       var notationVals = {
         notation_id: notation.id,
-        file_url: notation.file_url,
-        file_name: notation.file_name
+        file_url: notation.viewable ? notation.file_url + '?target=_blank' : '#',
+        file_name: notation.file_name,
+        link_class: notation.viewable ? '' : 'notation-link'
       };
 
       return context.JK.fillTemplate($notationFileTemplate.html(), notationVals);

web/app/controllers/api_music_notations_controller.rb

@@ -19,15 +19,20 @@ class ApiMusicNotationsController < ApiController
       @music_notations.push music_notation
     end if params[:files]
 
-    respond_with @music_notations, responder: ApiResponder, :statue => 201
+    respond_with @music_notations, responder: ApiResponder, :status => 201
   end
 
   def download
     @music_notation = MusicNotation.find(params[:id])
-    unless @music_notation.music_session.nil? || @music_notation.music_session.can_join?(current_user, true)
-      raise PermissionError, ValidationMessages::PERMISSION_VALIDATION_ERROR
-    end
 
-    redirect_to @music_notation.sign_url
+    unless @music_notation.music_session.nil? || @music_notation.music_session.can_join?(current_user, true)
+      render :text => "Permission denied", status:403
+      return
+    end
+    if '_blank'==params[:target]
+      redirect_to @music_notation.sign_url
+    else
+      render :text => @music_notation.sign_url
+    end
   end
-end
+end

web/app/views/api_music_sessions/show_history.rabl

@@ -85,7 +85,9 @@ else
       attributes :id, :file_name
 
       node do |music_notation|
-        { file_url: "/api/music_notations/#{music_notation.id}" }
+        { file_url: "/api/music_notations/#{music_notation.id}",
+          viewable: music_notation.music_session.can_join?(current_user, true) 
+        }
       end
   }
 

web/app/views/clients/_findSession.html.erb

@@ -245,7 +245,7 @@
 </script>
 
 <script type="text/template" id="template-notation-files">
-  <a data-notation-id="{notation_id}" href="{file_url}" rel="external">{file_name}</a><br />
+  <a class="{link_class}" data-notation-id="{notation_id}" href="{file_url}" rel="external">{file_name}</a><br />
 </script>
 
 <script type="text/template" id="template-musician-info">