From 29f907878934c22b9404a55673168c1a257e6064 Mon Sep 17 00:00:00 2001 From: netkas Date: Fri, 6 Jun 2025 01:00:07 -0400 Subject: [PATCH] Add authentication and permission checks for downloading attachments --- .../Attachments/DownloadAttachment.php | 26 ++++++++++++++----- 1 file changed, 20 insertions(+), 6 deletions(-) diff --git a/src/FederationServer/Methods/Attachments/DownloadAttachment.php b/src/FederationServer/Methods/Attachments/DownloadAttachment.php index 7306385..b1e07a1 100644 --- a/src/FederationServer/Methods/Attachments/DownloadAttachment.php +++ b/src/FederationServer/Methods/Attachments/DownloadAttachment.php @@ -29,6 +29,12 @@ throw new RequestException('Invalid attachment UUID', 400); } + $authenticatedOperator = FederationServer::getAuthenticatedOperator(); + if(!Configuration::getServerConfiguration()->isEvidencePublic() && $authenticatedOperator === null) + { + throw new RequestException('Unauthorized: You must be authenticated to download attachments', 401); + } + try { $attachment = FileAttachmentManager::getRecord($uuid); @@ -38,14 +44,22 @@ } $evidence = EvidenceManager::getEvidence($attachment->getEvidence()); - if($evidence && $evidence->isConfidential()) - { - // Require authentication if confidential - $operator = FederationServer::getAuthenticatedOperator(); - if(!$operator->canManageBlacklist()) + if($evidence === null) + { + throw new RequestException('Associated evidence not found', 404); + } + + if($evidence->isConfidential()) + { + if($authenticatedOperator === null) { - throw new RequestException('Insufficient Permissions to view confidential evidence', 401); + throw new RequestException('Unauthorized: You must be authenticated to view confidential evidence', 401); + } + + if(!$authenticatedOperator->canManageBlacklist()) + { + throw new RequestException('Unauthorized: Insufficient Permissions to view confidential evidence', 401); } } }