[WEB-2718] fix: issue attachment uploads

[NarayanBavisetti]

fix:

• this pull request resolves the issue with the upload of attachments.

Issue Link: WEB-2718

Summary by CodeRabbit

• New Features

  • Enhanced asset management with improved validation for file types and sizes during uploads.
  • Introduced soft delete functionality for attachments, allowing for better asset management.
  • Added functionality to retrieve presigned URLs for downloading assets.

• Bug Fixes

  • Improved consistency in setting the created_by attribute across various asset handling methods.

• Documentation

  • Updated method signatures and descriptions for clarity in asset handling operations.

[coderabbitai]

Walkthrough

The changes in this pull request focus on refining the asset management functionality across various endpoints. Key modifications include standardizing the assignment of the created_by attribute for FileAsset instances, implementing soft deletion for attachments, and enhancing validation for file types and sizes. Additionally, a new patch method was introduced for managing attachment statuses, and existing methods were updated to improve error handling and asset retrieval processes.

Changes

File Path	Change Summary
apiserver/plane/app/views/asset/v2.py	Updated post, patch, and delete methods in multiple endpoints to standardize created_by assignment.
apiserver/plane/app/views/issue/attachment.py	Added validation for file type and size in post, introduced soft deletion in delete, enhanced get method, and added a new patch method.
apiserver/plane/space/views/asset.py	Modified patch method to change how created_by is set, no changes to other methods.

Possibly related PRs

• fix: private bucket  #5812: This PR modifies the UserAssetsV2Endpoint, WorkspaceFileAssetEndpoint, and ProjectAssetEndpoint classes, enhancing asset management functionality, particularly in how the created_by attribute is handled, which aligns with the changes in the main PR.
• [WEB-2718] chore: issue attachment deletion #5903: This PR also updates the post, patch, and delete methods across several classes, focusing on the handling of asset creation and updates, including the created_by parameter, which is consistent with the changes made in the main PR.

Suggested labels

🐛bug, 🌐frontend, ⚙️backend

Suggested reviewers

• pablohashescobar
• sriramveeraghanta
• gurusainath

🐇 In the code we hop and play,
Assets managed in a clearer way.
With soft deletes and checks so bright,
Our files now dance in the moonlight.
Hooray for changes, let's all cheer,
For better handling, year by year! 🎉

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 2

🧹 Outside diff range and nitpick comments (2)

apiserver/plane/app/views/asset/v2.py (2)

Line range hint 1-800: Consider implementing a pre-save signal handler for FileAsset.

To ensure consistent handling of created_by across all creation/update paths, consider implementing a pre-save signal handler for the FileAsset model. This would provide a centralized location for this logic.

Example implementation in models.py:

from django.db.models.signals import pre_save
from django.dispatch import receiver

@receiver(pre_save, sender=FileAsset)
def ensure_created_by(sender, instance, **kwargs):
    if not instance.created_by and hasattr(instance, '_request'):
        instance.created_by = instance._request.user

Then in your views:

def patch(self, request, ...):
    asset = FileAsset.objects.get(...)
    asset._request = request  # Attach request to instance
    asset.save()

---

Line range hint 1-800: Enhance error handling for file uploads.

The current implementation could benefit from more robust error handling around file uploads and S3 operations.

Consider:

1. Adding retry logic for S3 operations
2. Implementing proper cleanup if upload fails
3. Adding monitoring/logging for upload failures
4. Implementing file upload resume capability for large files

Would you like me to create a GitHub issue to track these improvements?

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL

📥 Commits

Files that changed from the base of the PR and between 56bb6e1 and 3d06ea9.

📒 Files selected for processing (3)

• apiserver/plane/app/views/asset/v2.py (3 hunks)
• apiserver/plane/app/views/issue/attachment.py (1 hunks)
• apiserver/plane/space/views/asset.py (1 hunks)

🧰 Additional context used

🔇 Additional comments (3)

apiserver/plane/space/views/asset.py (2)

172-173: LGTM: Consistent created_by assignment style.

The explicit assignment of created_by before save is consistent with other asset handling methods across the codebase.

---

Line range hint 63-77: Consider enhancing file upload security measures.

While basic file type and size validation exists, consider these security improvements:

1. Expand allowed file types based on use case requirements
2. Add content validation beyond extension checking
3. Consider implementing virus scanning for uploaded files
4. Add support for modern image formats (avif, heic)

Let's check if there's any file type validation elsewhere:

apiserver/plane/app/views/asset/v2.py (1)

212-213: Verify if explicitly setting created_by resolves the root issue.

The changes consistently set created_by = request.user before calling save() across all patch methods. While this ensures the creator is properly recorded, let's verify if this addresses the root cause.

Also applies to: 463-464, 695-696

[coderabbitai]

⚠️ Potential issue

Reconsider modifying created_by in PATCH method.

The PATCH method is typically used for updating resource attributes, but here it's modifying the created_by field which is creation metadata. This could lead to inconsistencies in audit trails.

Consider one of these approaches:

- asset.created_by = request.user
- asset.save()
+ # Option 1: Only update if not already set
+ if not asset.created_by:
+     asset.created_by = request.user
+ asset.save()

+ # Option 2: Don't modify created_by in patch
+ asset.save()

Committable suggestion was skipped due to low confidence.

[coderabbitai]

💡 Codebase verification

Based on the gathered information, I can now provide the final response:

Setting created_by in the patch method is incorrect and should be removed

The FileAsset model inherits from BaseModel and its serializer explicitly marks created_by as a read-only field. This indicates that created_by should only be set during creation and not be modified afterward. The current implementation in the patch method incorrectly overwrites the original creator, which violates this design principle.

Key findings:

• The FileAssetSerializer explicitly defines created_by in read_only_fields
• Other operations on FileAsset instances (like restore, delete) don't modify the created_by field
• The field is only set during object creation, as seen in the initial search results

🔗 Analysis chain

Verify that setting created_by in the patch method does not overwrite the original creator.

Setting issue_attachment.created_by = request.user in the patch method may overwrite the original creator of the attachment. Please confirm that this is intended behavior and that it does not affect audit trails or permissions related to the created_by field.

Run the following script to identify where created_by is set on FileAsset instances:

---

Let me gather more context about the patch method and how created_by is handled in the codebase.

---

Let me search for the FileAsset model definition to understand its fields and any history tracking mechanisms.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Find where 'created_by' is assigned on FileAsset instances.

# Test: Search for assignments to 'created_by' during creation.
# Expected: 'created_by' should be set during creation and not modified afterward.

# Search for creation of FileAsset with 'created_by' set
rg "FileAsset\.objects\.create\(" -A 10 | rg "created_by\s*="

# Search for assignments to 'created_by' outside of creation
rg "issue_attachment\.created_by\s*=" --glob "!.*/migrations/*" | rg -v "FileAsset\.objects\.create"

Length of output: 649

---

Script:

#!/bin/bash
# Get the full context of the patch method and surrounding code
rg -B 10 -A 10 "def patch\(" apiserver/plane/app/views/issue/attachment.py

# Check if there's any audit trail or history tracking for FileAsset
ast-grep --pattern 'class FileAsset($$$)' 

Length of output: 882

---

Script:

#!/bin/bash
# Find the FileAsset model definition
rg -B 5 -A 15 "class FileAsset" 

# Check for any model inheritance or history tracking mixins
rg "class FileAsset\(.*\):"

# Look for any update operations on FileAsset
rg "FileAsset\.objects\.update" -A 5

Length of output: 5952