From 8b2407371365fc123fc368bfd46b15f55ba8ae6a Mon Sep 17 00:00:00 2001 From: Antoine GIRARD Date: Sun, 5 Jan 2020 00:20:08 +0100 Subject: Only serve attachments when linked to issue/release and if accessible by user (#9340) * test: add current attachement responses * refactor: check if attachement is linked and accessible by user * chore: clean TODO * fix: typo attachement -> attachment * revert un-needed go.sum change * refactor: move models logic to models * fix TestCreateIssueAttachment which was wrongly successful * fix unit tests with unittype added * fix unit tests with changes * use a valid uuid format for pgsql int. test * test: add unit test TestLinkedRepository * refactor: allow uploader to access unlinked attachement * add missing blank line * refactor: move to a separate function repo.GetAttachment * typo * test: remove err test return * refactor: use repo perm for access checking generally + 404 for all reject --- routers/routes/routes.go | 30 +----------------------------- 1 file changed, 1 insertion(+), 29 deletions(-) (limited to 'routers/routes') diff --git a/routers/routes/routes.go b/routers/routes/routes.go index c8351f312b..888c92ac4a 100644 --- a/routers/routes/routes.go +++ b/routers/routes/routes.go @@ -8,7 +8,6 @@ import ( "bytes" "encoding/gob" "net/http" - "os" "path" "text/template" "time" @@ -474,34 +473,7 @@ func RegisterRoutes(m *macaron.Macaron) { m.Get("/following", user.Following) }) - m.Get("/attachments/:uuid", func(ctx *context.Context) { - attach, err := models.GetAttachmentByUUID(ctx.Params(":uuid")) - if err != nil { - if models.IsErrAttachmentNotExist(err) { - ctx.Error(404) - } else { - ctx.ServerError("GetAttachmentByUUID", err) - } - return - } - - fr, err := os.Open(attach.LocalPath()) - if err != nil { - ctx.ServerError("Open", err) - return - } - defer fr.Close() - - if err := attach.IncreaseDownloadCount(); err != nil { - ctx.ServerError("Update", err) - return - } - - if err = repo.ServeData(ctx, attach.Name, fr); err != nil { - ctx.ServerError("ServeData", err) - return - } - }) + m.Get("/attachments/:uuid", repo.GetAttachment) }, ignSignIn) m.Group("/attachments", func() { -- cgit v1.2.3