From 75d50b82863d223556addb9eebe4f1299ad7bc35 Mon Sep 17 00:00:00 2001
From: Seth Call <sethcall@gmail.com>
Date: Mon, 8 Sep 2014 16:51:28 -0500
Subject: [PATCH] * make notations private bucket; only allow access if user
 has can_join? permissions for session

---
 .../app/uploaders/music_notation_uploader.rb  |  2 +-
 .../jam_ruby/models/active_music_session.rb   | 45 +++++--------------
 ruby/lib/jam_ruby/models/music_notation.rb    | 25 +++++------
 ruby/lib/jam_ruby/models/music_session.rb     | 12 ++++-
 web/app/views/api_music_sessions/show.rabl    |  2 +-
 .../api_music_sessions/show_history.rabl      |  2 +-
 6 files changed, 34 insertions(+), 54 deletions(-)

diff --git a/ruby/lib/jam_ruby/app/uploaders/music_notation_uploader.rb b/ruby/lib/jam_ruby/app/uploaders/music_notation_uploader.rb
index e50c34fd6..3f2f49e4f 100644
--- a/ruby/lib/jam_ruby/app/uploaders/music_notation_uploader.rb
+++ b/ruby/lib/jam_ruby/app/uploaders/music_notation_uploader.rb
@@ -4,7 +4,7 @@ class MusicNotationUploader < CarrierWave::Uploader::Base
 
   def initialize(*)
     super
-    JamRuby::UploaderConfiguration.set_aws_public_configuration(self)
+    JamRuby::UploaderConfiguration.set_aws_private_configuration(self)
   end
 
   def store_dir
diff --git a/ruby/lib/jam_ruby/models/active_music_session.rb b/ruby/lib/jam_ruby/models/active_music_session.rb
index 662512572..78e9b305e 100644
--- a/ruby/lib/jam_ruby/models/active_music_session.rb
+++ b/ruby/lib/jam_ruby/models/active_music_session.rb
@@ -549,41 +549,6 @@ module JamRuby
       end
     end
 
-    # Verifies that the specified user can join this music session
-    def can_join? user, as_musician
-      if as_musician
-        if !user.musician
-          return false # "a fan can not join a music session as a musician"
-          raise PermissionError, "a fan can not join a music session as a musician"
-        end
-        
-        if self.musician_access
-          if self.approval_required
-            return self.invited_musicians.exists?(user)
-          else
-            return true
-          end
-
-        else
-          # the creator can always join, and the invited users can join
-          return self.creator == user || self.invited_musicians.exists?(user)
-        end
-      else
-        # it's a fan, and the only way a fan can join is if fan_access is true
-        return self.fan_access
-      end
-
-    end
-
-    # Verifies that the specified user can see this music session
-    def can_see? user
-      if self.musician_access || self.fan_access
-        true
-      else
-        self.creator == user || self.invited_musicians.exists?(user)
-      end
-    end
-
     # Verifies that the specified user can delete this music session
     def can_delete? user
       # the creator can delete
@@ -685,6 +650,16 @@ module JamRuby
       music_session.music_notations
     end
 
+    # Verifies that the specified user can join this music session
+    def can_join? user, as_musician
+      music_session.can_join? user, as_musician
+    end
+
+    # Verifies that the specified user can see this music session
+    def can_see? user
+      music_session.can_see? user
+    end
+
     def tick_track_changes
       self.track_changes_counter += 1
       self.save!(:validate => false)
diff --git a/ruby/lib/jam_ruby/models/music_notation.rb b/ruby/lib/jam_ruby/models/music_notation.rb
index d7049391d..0f5073294 100644
--- a/ruby/lib/jam_ruby/models/music_notation.rb
+++ b/ruby/lib/jam_ruby/models/music_notation.rb
@@ -6,7 +6,7 @@ module JamRuby
 
     self.primary_key = 'id'
 
-    attr_accessible :file_url, :size, :file_name, :absolute_url_path
+    attr_accessible :file_url, :size, :file_name
 
     belongs_to :user, :class_name => "JamRuby::User", foreign_key: :user_id
     belongs_to :music_session, :class_name => "JamRuby::MusicSession", foreign_key: :music_session_id
@@ -15,7 +15,7 @@ module JamRuby
 
     before_destroy :delete_s3_files
 
-    validates :file_url, :presence => true
+    #validates :file_url, :presence => true
     validates :size, :presence => true
 
     def self.create(session_id, file, current_user)
@@ -24,31 +24,28 @@ module JamRuby
       music_notation.music_session_id = session_id
       music_notation.user = current_user
       music_notation.size = file.size
-      music_notation[:file_url] = music_notation.filename
+
+      # save first to get a valid created_at time
+      music_notation.save!
+
+      # now that the model exists (created_at exists), we can save the file in the correct path
+      music_notation.file_url = file
       music_notation.save
-      return music_notation
+      music_notation
     end
 
     def filename
       MusicNotation.construct_filename(self)
     end
 
-    def absolute_url_path
-      s3_manager({:public => true}).url(self.filename)
-    end
-
-    def s3_url
-      s3_manager({:public => true}).s3_url(self.filename)
-    end
-
     def sign_url(expiration_time = 120)
-      s3_manager({:public => true}).sign_url(self[:file_url], {:expires => expiration_time, :secure => false})
+      s3_manager.sign_url(self[:file_url], {:expires => expiration_time, :secure => false})
     end
 
     private
 
     def self.construct_filename(notation)
-      "#{NOTATION_FILE_DIR}/#{notation.user.id}/#{notation.file_name}" #-#{created_at.strftime('%m-%d-%Y')}
+      "#{NOTATION_FILE_DIR}/#{notation.created_at.strftime('%m-%d-%Y')}/#{notation.user.id}/#{notation.file_name}"
     end
 
     def delete_s3_files
diff --git a/ruby/lib/jam_ruby/models/music_session.rb b/ruby/lib/jam_ruby/models/music_session.rb
index 3b26521bd..34b31269a 100644
--- a/ruby/lib/jam_ruby/models/music_session.rb
+++ b/ruby/lib/jam_ruby/models/music_session.rb
@@ -212,14 +212,14 @@ module JamRuby
 
         if self.musician_access
           if self.approval_required
-            return self.invited_musicians.exists?(user)
+            return self.invited_musicians.exists?(user) || self.approved_rsvps.include?(user)
           else
             return true
           end
 
         else
           # the creator can always join, and the invited users can join
-          return self.creator == user || self.invited_musicians.exists?(user)
+          return self.creator == user || self.invited_musicians.exists?(user) || self.approved_rsvps.include?(user)
         end
       else
         # it's a fan, and the only way a fan can join is if fan_access is true
@@ -227,6 +227,14 @@ module JamRuby
       end
     end
 
+    def can_see? user
+      if self.musician_access || self.fan_access
+        true
+      else
+        self.creator == user || self.invited_musicians.exists?(user)
+      end
+    end
+
     def self.index(current_user, user_id, band_id = nil, genre = nil)
       hide_private = false
       if current_user.id != user_id
diff --git a/web/app/views/api_music_sessions/show.rabl b/web/app/views/api_music_sessions/show.rabl
index c526098c0..274246985 100644
--- a/web/app/views/api_music_sessions/show.rabl
+++ b/web/app/views/api_music_sessions/show.rabl
@@ -23,7 +23,7 @@ else
     attributes :id, :file_name
 
     node do |music_notation|
-      { file_url: music_notation.absolute_url_path }
+      { file_url: "/api/music_notations/#{music_notation.id}" }
     end
   }
 
diff --git a/web/app/views/api_music_sessions/show_history.rabl b/web/app/views/api_music_sessions/show_history.rabl
index fa10c1678..9d732d843 100644
--- a/web/app/views/api_music_sessions/show_history.rabl
+++ b/web/app/views/api_music_sessions/show_history.rabl
@@ -85,7 +85,7 @@ else
       attributes :id, :file_name
 
       node do |music_notation|
-        { file_url: music_notation.absolute_url_path }
+        { file_url: "/api/music_notations/#{music_notation.id}" }
       end
   }