Confirm frame

BrainPortal/app/controllers/userfiles_controller.rb

@@ -440,6 +440,36 @@ def show #:nodoc:
     end
   end
 
+  # establishes trust in all the files of a creator of this file for the duration of the session
+  # This method is used to render html userfiles or collection elements
+  def trust_creator
+    @userfile = Userfile.find_accessible_by_user(params[:id], current_user, :access_requested => :read)
+    cbrain_session[:trust_user_files] ||= []
+    unless cbrain_session[:trust_user_files].include?(@userfile.user_id)
+      ids = cbrain_session[:trust_user_files] # in place modification does not work well within a session
+      ids.shift if ids.length > 99  # cap to 100 ids, session storage is limited
+      cbrain_session[:trust_userfiles] = ids << @userfile.user_id
+    end
+    respond_to do |format|
+      format.js  { render js: "" }  # no need to do anything as of now
+    end
+  end
+
+  # establishes trust in a file or all the other files of a collection for the duration of the session
+  # This method is used to render html userfiles or collection elements
+  def trust
+    @userfile = Userfile.find_accessible_by_user(params[:id], current_user, :access_requested => :read)
+    cbrain_session[:trust_userfiles] ||= []
+    unless cbrain_session[:trust_userfiles].include?(@userfile.id)
+      ids = cbrain_session[:trust_userfiles]  # in place modification does not work well within a session
+      ids.shift if ids.length > 199  # limit to 200 file ids, session size is limited
+      cbrain_session[:trust_userfiles] = ids << @userfile.id
+    end
+    respond_to do |format|
+      format.js  { render js: "" }  # no need to do anything as of now
+    end
+  end
+
   # Triggers the mass synchronization of several userfiles
   # or mass 'desynchronization' (ProvNewer) of several userfiles.
   def sync_multiple #:nodoc:

BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/html_file.rb

@@ -33,6 +33,6 @@ def self.file_name_pattern #:nodoc:
 
   def self.pretty_type #:nodoc:
     "HTML File"
-  end  
+  end
 
 end

BrainPortal/cbrain_plugins/cbrain-plugins-base/userfiles/html_file/views/_html.html.erb

@@ -1,4 +1,3 @@
-
 <%
 #
 # CBRAIN Project
@@ -22,29 +21,68 @@
 #
 %>
 
-<% if params[:new_tab].blank? # show only on userfile page %>
+This HTML document is not part of CBRAIN. <em> You should <strong>not</strong> view or
+  interact with it unless you fully trust it. </em> (Forms and external links are disabled.)
+<br>
+
+<% if params[:new_tab].blank?
+     # show only on userfile page %>
   <%= link_to(
-      "Open in a separate tab",
-      display_userfile_url(@userfile,
-        :viewer                => :html,
-        :content_viewer        => "on",
-        :file_name             => @userfile.name,
-        :viewer_userfile_class => "HtmlFile",
-        :new_tab               => "yes"
-      ),
-      :target => "_blank"
-    ) %>
+        "Open in a separate tab",
+        display_userfile_url(@userfile,
+          :viewer                => :html,
+          :content_viewer        => "on",
+          :file_name             => @userfile.name,
+          :viewer_userfile_class => "HtmlFile",
+          :new_tab => "yes"
+        ),
+        :target => "_blank"
+      )
+  %>
 <% end %>
 <br>
-The HTML document previewed in the frame below is not part of CBRAIN. <em> You should <strong>not</strong> open it or
-interact with it unless you fully trust it. </em> Forms and external links are disabled.
+
+<%# -- for other user's files ask confirmation, unless user of files is marked as trusted %>
+<% hide_frame = params[:new_tab].blank? && current_user.id != @userfile.user_id %>
+<% hide_frame &&= !cbrain_session[:trust_user_files]&.include?(@userfile.user_id) %>
+<% hide_frame &&= !cbrain_session[:trust_userfiles]&.include?(@userfile.id) %>
+<% if hide_frame %>
+  <div class="trust-file-btn">
+
+    <%= link_to "I trust all #{@userfile.user.login}'s  files,",
+                trust_creator_userfile_path(@userfile),
+                method: :post,
+                remote: true
+    %>
+    show them without warnings during this session
+  </div>
+  <div class="trust-file-btn">
+    <%= link_to "Show just this userfile",
+                trust_userfile_path(@userfile),
+                method: :post,
+                remote: true
+    %>
+  </div>
+<% end %>
+
 <br>
-<iframe sandbox="allow-scripts allow-same-origin"
-    src="<%= stream_userfile_path(@userfile, :disposition => 'inline')%>"
-    class="full-frame"
-    <% if params[:new_tab].present? # workaround to wide frame in a new tab %>
-      style="height: 100%; width: 100%;"
+
+<div class="iframe-container" id="iframe-container"
+    <% if hide_frame %>
+      hidden
     <% end %>
- >
+>
+  <iframe sandbox="allow-scripts allow-same-origin"
+      data-frame-url="<%= stream_userfile_path(@userfile, :disposition => 'inline') %>"
+      <% unless hide_frame %>
+        src="<%= stream_userfile_path(@userfile, :disposition => 'inline') %>"
+      <% end %>
+        class="full-frame html-viewer"
+      <% if params[:new_tab].present?
+        # workaround to wide frame in a new tab %>
+        style="height: 100%; width: 100%;"
+      <% end %>
+  >
     HTML Viewer
-</iframe>
+  </iframe>
+</div>

BrainPortal/config/routes.rb

@@ -140,6 +140,8 @@
       get  'stream/*file_path' => 'userfiles#stream'
       get  'display'
       post 'extract_from_collection'
+      post 'trust'
+      post 'trust_creator'
     end
     collection do
       post   'download'

BrainPortal/public/javascripts/cbrain.js

@@ -759,6 +759,15 @@
       form.submit();
     });
 
+    // show HMTL file in a frame after user indicates trust (to that file or file owner)
+    $(document).on("ajax:success", ".trust-file-btn",  function (event) {
+      let trustBtn = $(".trust-file-btn");
+      let iframe = $("body").find('.html-viewer');
+      let iframeContainer = $("body").find('.iframe-container');
+      iframe.attr('src', iframe.data('frame-url'));
+      trustBtn.hide();
+      iframeContainer.show();  // css trumps html
+    });
 
     //html_tool_tip_code based on xstooltip provided by
     //http://www.texsoft.it/index.php?%20m=sw.js.htmltooltip&c=software&l=it