diff --git a/app/controllers/chunks_controller.rb b/app/controllers/chunks_controller.rb
index 1a291da370c3f79afbe8b8f5d09ffc0e6d701643..0752a533e52be006ae32d845314245282f7646b4 100644
--- a/app/controllers/chunks_controller.rb
+++ b/app/controllers/chunks_controller.rb
@@ -7,19 +7,26 @@ class ChunksController < ApplicationController
def show
chunk = resumable_chunk chunk_number
- if File.exists?(chunk)
- post_file_and_create_thumbnail @learning_object, resumable_filename if last_chunk?
- #Let resumable.js know this chunk already exists
- render :nothing => true, :status => 200
+ unless valid_mime_type?
+ render :nothing => true, :status => 415
else
- #Let resumable.js know this chunk doesnt exists and needs to be uploaded
- render :nothing => true, :status => 404
+ if File.exists?(chunk)
+ post_file_and_create_thumbnail @learning_object, resumable_filename if last_chunk?
+ #Let resumable.js know this chunk already exists
+ render :nothing => true, :status => 200
+ else
+ #Let resumable.js know this chunk doesnt exists and needs to be uploaded
+ render :nothing => true, :status => 404
+ end
end
-
end
-
#POST /chunk
def create
+
+ unless valid_mime_type?
+ return render :nothing => true, :status => 415
+ end
+
#chunk path based on the parameters
chunk = resumable_chunk chunk_number
@@ -101,6 +108,13 @@ class ChunksController < ApplicationController
@learning_object = LearningObject.find chunks_params[:learning_object_id]
end
+ def resumable_file_extension
+ File.extname(chunks_params[:resumableFilename]).tr('.','')
+ end
+
+ def valid_mime_type?
+ @learning_object.object_type.mime_types.map(&:extension).include? resumable_file_extension
+ end
# Never trust parameters from the scary internet, only allow the white list through.
def chunks_params
params.permit(:file, :learning_object_id, :resumableIdentifier, :resumableFilename, :resumableChunkNumber, :resumableTotalChunks, :resumableChunkSize)