Conversation
📝 WalkthroughWalkthroughStorage controller response now sets Content-Disposition dynamically by reading a Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes
Pre-merge checks and finishing touches❌ Failed checks (1 inconclusive)
✅ Passed checks (2 passed)
✨ Finishing touches
🧪 Generate unit tests (beta)
📜 Recent review detailsConfiguration used: Path: .coderabbit.yaml Review profile: CHILL Plan: Pro ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (2)
✅ Files skipped from review due to trivial changes (1)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
🔇 Additional comments (1)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Security Scan Results for PRDocker Image Scan Results
Source Code Scan Results🎉 No vulnerabilities found! |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 0
🧹 Nitpick comments (1)
app/controllers/api/storage.php (1)
1511-1571: Deriving Content‑Disposition from JWT is correct; consider whitelisting valuesUsing a JWT claim to drive
Content-Dispositionand defaulting toinlinepreserves existing behavior and lets CSV exports opt intoattachment, which looks good.To harden this a bit and avoid unexpected or malformed dispositions from any future issuer of these JWTs, you could constrain the value to a small allow‑list before using it in the header, e.g.:
- $isInternal = $decoded['internal'] ?? false; - $disposition = $decoded['disposition'] ?? 'inline'; + $isInternal = $decoded['internal'] ?? false; + $disposition = $decoded['disposition'] ?? 'inline'; + $allowedDispositions = ['inline', 'attachment']; + if (!\in_array($disposition, $allowedDispositions, true)) { + $disposition = 'inline'; + }Header construction can remain as is:
->addHeader('Content-Disposition', $disposition . '; filename="' . $file->getAttribute('name', '') . '"')This keeps the new feature but prevents accidental introduction of odd or invalid disposition tokens.
📜 Review details
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
📒 Files selected for processing (2)
app/controllers/api/storage.php(2 hunks)src/Appwrite/Platform/Workers/Migrations.php(1 hunks)
🧰 Additional context used
🧬 Code graph analysis (1)
app/controllers/api/storage.php (2)
tests/e2e/Client.php (1)
addHeader(161-166)src/Appwrite/Utopia/Response.php (1)
file(841-848)
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)
- GitHub Check: Setup & Build Appwrite Image
- GitHub Check: Setup & Build Appwrite Image
- GitHub Check: scan
🔇 Additional comments (1)
src/Appwrite/Platform/Workers/Migrations.php (1)
520-529: CSV export JWT disposition claim is consistent and backward‑compatibleAdding
'disposition' => 'attachment'here cleanly enables download behavior for CSV exports while preserving defaultinlinesemantics for any existing tokens that lack this claim. No issues spotted.
✨ Benchmark results
⚡ Benchmark Comparison
|
1 participant
What does this PR do?
(Provide a description of what this PR does and why it's needed.)
Test Plan
(Write your test plan here. If you changed any code, please provide us with clear instructions on how you verified your changes work. Screenshots may also be helpful.)
Related PRs and Issues
Checklist