Nosial/FederationServer
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Add authentication and permission checks for downloading attachments

Browse source
This commit is contained in:
netkas 2025-06-06 01:00:07 -04:00
parent f4536df74f
commit 29f9078789
Signed by: netkas
GPG key ID: 4D8629441B76E4CC
1 changed files with 20 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

26
src/FederationServer/Methods/Attachments/DownloadAttachment.php
View file

@ -29,6 +29,12 @@
throw new RequestException('Invalid attachment UUID', 400); throw new RequestException('Invalid attachment UUID', 400);
} }
$authenticatedOperator = FederationServer::getAuthenticatedOperator();
if(!Configuration::getServerConfiguration()->isEvidencePublic() && $authenticatedOperator === null)
{
throw new RequestException('Unauthorized: You must be authenticated to download attachments', 401);
}
try try
{ {
$attachment = FileAttachmentManager::getRecord($uuid); $attachment = FileAttachmentManager::getRecord($uuid);
@ -38,14 +44,22 @@
} }
$evidence = EvidenceManager::getEvidence($attachment->getEvidence()); $evidence = EvidenceManager::getEvidence($attachment->getEvidence());
if($evidence && $evidence->isConfidential())
{
// Require authentication if confidential
$operator = FederationServer::getAuthenticatedOperator();
if(!$operator->canManageBlacklist()) if($evidence === null)
{ {
throw new RequestException('Insufficient Permissions to view confidential evidence', 401); throw new RequestException('Associated evidence not found', 404);
}
if($evidence->isConfidential())
{
if($authenticatedOperator === null)
{
throw new RequestException('Unauthorized: You must be authenticated to view confidential evidence', 401);
}
if(!$authenticatedOperator->canManageBlacklist())
{
throw new RequestException('Unauthorized: Insufficient Permissions to view confidential evidence', 401);
} }
} }
} }