Skip to content

Commit

Permalink
fix: add missing authorization check on thumbnail download endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
@bouassaba
bouassaba committed Aug 7, 2024
1 parent c195d5f commit 6655031
Showing 1 changed file with 9 additions and 6 deletions.
15 changes: 9 additions & 6 deletions api/service/file_service.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -326,16 +326,16 @@ func (svc *FileService) DownloadOriginalBuffer(id string, rangeHeader string, bu
if err != nil {
return nil, err
}
if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
return nil, err
}
if file.GetType() != model.FileTypeFile || file.GetSnapshotID() == nil {
return nil, errorpkg.NewFileIsNotAFileError(file)
}
snapshot, err := svc.snapshotCache.Get(*file.GetSnapshotID())
if err != nil {
return nil, err
}
if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
return nil, err
}
if snapshot.HasOriginal() {
objectInfo, err := svc.s3.StatObject(snapshot.GetOriginal().Key, snapshot.GetOriginal().Bucket, minio.StatObjectOptions{})
if err != nil {
Expand Down Expand Up @@ -365,16 +365,16 @@ func (svc *FileService) DownloadPreviewBuffer(id string, rangeHeader string, buf
if err != nil {
return nil, err
}
if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
return nil, err
}
if file.GetType() != model.FileTypeFile || file.GetSnapshotID() == nil {
return nil, errorpkg.NewFileIsNotAFileError(file)
}
snapshot, err := svc.snapshotCache.Get(*file.GetSnapshotID())
if err != nil {
return nil, err
}
if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
return nil, err
}
if snapshot.HasPreview() {
objectInfo, err := svc.s3.StatObject(snapshot.GetOriginal().Key, snapshot.GetOriginal().Bucket, minio.StatObjectOptions{})
if err != nil {
Expand Down Expand Up @@ -408,6 +408,9 @@ func (svc *FileService) DownloadThumbnailBuffer(id string, userID string) (*byte
if file.GetType() != model.FileTypeFile || file.GetSnapshotID() == nil {
return nil, nil, nil, errorpkg.NewFileIsNotAFileError(file)
}
if err = svc.fileGuard.Authorize(userID, file, model.PermissionViewer); err != nil {
return nil, nil, nil, err
}
snapshot, err := svc.snapshotCache.Get(*file.GetSnapshotID())
if err != nil {
return nil, nil, nil, err
Expand Down

0 comments on commit 6655031

Please sign in to comment.