cartodb-4.42/app/controllers/carto/api/public/custom_visualizations_controller.rb

require_relative '../visualization_searcher'
require_relative '../paged_searcher'

class Carto::Api::Public::CustomVisualizationsController < Carto::Api::Public::ApplicationController
  include Carto::Api::VisualizationSearcher
  include Carto::Api::PagedSearcher

  CONTENT_LENGTH_LIMIT_IN_BYTES = 10 * 1024 * 1024 # 10MB
  VALID_ORDER_PARAMS = %i(name updated_at privacy).freeze
  ALLOWED_PRIVACY_MODES = [
    Carto::Visualization::PRIVACY_PUBLIC,
    Carto::Visualization::PRIVACY_PROTECTED
  ].freeze

  IF_EXISTS_FAIL = 'fail'.freeze
  IF_EXISTS_REPLACE = 'replace'.freeze
  VALID_IF_EXISTS = [IF_EXISTS_FAIL, IF_EXISTS_REPLACE].freeze

  ssl_required

  before_action :check_master_api_key
  before_action :validate_mandatory_creation_params, only: [:create]
  before_action :validate_input_parameters, only: [:create, :update]
  before_action :get_kuviz, only: [:update, :delete]
  before_action :get_user, only: [:create, :update, :delete]
  before_action :check_public_map_quota, only: [:create]
  before_action :check_edition_permission, only: [:update, :delete]
  before_action :validate_if_exists, only: [:create, :update]
  before_action :get_last_one, only: [:create]
  before_action :remove_duplicates, only: [:create, :update]

  rescue_from Carto::UnauthorizedError, with: :rescue_from_carto_error
  rescue_from Carto::ParamInvalidError, with: :rescue_from_carto_error
  rescue_from Carto::QuotaExceededError, with: :rescue_from_carto_error

  def index
    opts = { valid_order_combinations: VALID_ORDER_PARAMS }
    page, per_page, order, order_direction = page_per_page_order_params(VALID_ORDER_PARAMS, opts)
    params[:type] = Carto::Visualization::TYPE_KUVIZ
    vqb = query_builder_with_filter_from_hash(params)

    visualizations = vqb.with_order(order, order_direction)
                        .build_paged(page, per_page).map do |v|
      Carto::Api::Public::KuvizPresenter.new(self, v.user, v).to_hash
    end
    response = {
      visualizations: visualizations,
      total_entries: vqb.count
    }
    render_jsonp(response)
  rescue Carto::ParamInvalidError, Carto::ParamCombinationInvalidError => e
    render_jsonp({ error: e.message }, e.status)
  rescue StandardError => e
    log_error(exception: e)
    render_jsonp({ error: e.message }, 500)
  end

  def create
    return update if @kuviz

    kuviz = create_visualization_metadata(@logged_user)
    asset = Carto::Asset.for_visualization(visualization: kuviz,
                                           resource: StringIO.new(Base64.decode64(params[:data])))
    asset.save
    Carto::Tracking::Events::CreatedMap.new(@logged_user.id, event_properties(kuviz).merge(origin: 'custom')).report

    render_jsonp(Carto::Api::Public::KuvizPresenter.new(self, @logged_user, kuviz).to_hash, 200)
  rescue ActiveRecord::RecordInvalid => e
    log_error(message: 'Error creating kuviz', params: params, exception: e)
    render_jsonp({ error: e.message }, 400)
  rescue StandardError => e
    log_error(message: 'Error creating kuviz', params: params, exception: e)
    render_jsonp({ error: 'The kuviz can not be created' }, 500)
  end

  def update
    @kuviz.update_attributes!(params.permit(:name, :privacy, :password))

    if params[:data].present?
      @kuviz.asset.update_visualization_resource(StringIO.new(Base64.decode64(params[:data])))
      # In case we only update the asset we need to invalidate the visualization
      @kuviz.save
    end
    Carto::Tracking::Events::ModifiedMap.new(@logged_user.id, event_properties(@kuviz)).report

    render_jsonp(Carto::Api::Public::KuvizPresenter.new(self, @logged_user, @kuviz).to_hash, 200)
  rescue ActiveRecord::RecordInvalid => e
    render_jsonp({ error: e.message }, 400)
  end

  def delete
    Carto::Tracking::Events::DeletedMap.new(@logged_user.id, event_properties(@kuviz)).report
    @kuviz.destroy
    head 204
  rescue StandardError => e
    log_error(message: 'Error deleting kuviz', exception: e, visualization: @kuviz)
    render_jsonp({ errors: [e.message] }, 400)
  end

  private

  def create_visualization_metadata(user)
    kuviz = Carto::Visualization.new
    kuviz.name = params[:name]
    kuviz.privacy = params[:password].present? ? Carto::Visualization::PRIVACY_PROTECTED : Carto::Visualization::PRIVACY_PUBLIC
    kuviz.password = params[:password]
    kuviz.type = Carto::Visualization::TYPE_KUVIZ
    kuviz.user = user
    kuviz.save!
    kuviz
  end

  def event_properties(kuviz)
    {
      user_id: @logged_user.id,
      visualization_id: kuviz.id
    }
  end

  def get_user
    @logged_user = current_viewer.present? ? Carto::User.find(current_viewer.id) : nil
  end

  def check_master_api_key
    api_key = Carto::ApiKey.find_by_token(params["api_key"])
    raise Carto::UnauthorizedError unless api_key&.master?
  end

  def check_edition_permission
    head(403) unless @kuviz.has_permission?(@logged_user, Carto::Permission::ACCESS_READWRITE)
  end

  def check_public_map_quota
    return unless CartoDB::QuotaChecker.new(@logged_user).will_be_over_public_map_quota?
    raise Carto::QuotaExceededError.new('Public map quota exceeded')
  end

  def validate_input_parameters
    if request.content_length > CONTENT_LENGTH_LIMIT_IN_BYTES
      return render_jsonp({ error: "Visualization over the size limit (#{CONTENT_LENGTH_LIMIT_IN_BYTES / 1024 / 1024}MB)" }, 400)
    end

    if params[:privacy].present?
      unless ALLOWED_PRIVACY_MODES.include?(params[:privacy])
        return render_jsonp({ error: "privacy mode not allowed. Allowed ones are #{ALLOWED_PRIVACY_MODES}" }, 400)
      end
      if params[:privacy] == Carto::Visualization::PRIVACY_PROTECTED && !params[:password].present?
        return render_jsonp({ error: 'Changing privacy to protected should come along with the password param' }, 400)
      end
    end

    if params[:data].present?
      begin
        decoded_data = Base64.strict_decode64(params[:data])
        return render_jsonp({ error: 'data parameter must be HTML' }, 400) unless html_param?(decoded_data)
      rescue ArgumentError
        return render_jsonp({ error: 'data parameter must be encoded in base64' }, 400)
      end
    end
  end

  def validate_mandatory_creation_params
    if !params[:data].present?
      render_jsonp({ error: 'missing data parameter' }, 400)
    elsif !params[:name].present?
      render_jsonp({ error: 'missing name parameter' }, 400)
    end
  end

  def html_param?(data)
    # FIXME this is a very naive implementantion. I'm trying to use
    # Nokogiri to validate the HTML but it doesn't works as I want
    # so
    data.match(/\<html.*\>/).present?
  end

  def get_kuviz
    @kuviz = Carto::Visualization.find(params[:id])
    if @kuviz.nil?
      raise Carto::LoadError.new('Kuviz doesn\'t exist', 404)
    end
  end

  def validate_if_exists
    @if_exists = params[:if_exists]
    if @if_exists.nil?
      @if_exists = @kuviz.present? ? IF_EXISTS_REPLACE : IF_EXISTS_FAIL
    end

    raise Carto::ParamInvalidError.new(:if_exists, VALID_IF_EXISTS.join(', ')) unless VALID_IF_EXISTS.include?(@if_exists)
  end

  def get_last_one
    if @if_exists == IF_EXISTS_REPLACE
      @kuviz = kuvizs_by_name.order(updated_at: :desc).first
    end
  end

  def remove_duplicates
    if @if_exists == IF_EXISTS_REPLACE
      existing_kuvizs = kuvizs_by_name - [@kuviz]
      existing_kuvizs.each(&:destroy!)
    end
  end

  def kuvizs_by_name
    Carto::Visualization.where(user: @logged_user, name: params[:name], type: Carto::Visualization::TYPE_KUVIZ)
  end
end