Nosial/FederationServer
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

Add authorization check for downloading attachments in handleRequest method

Browse source
This commit is contained in:
netkas 2025-06-06 13:05:29 -04:00
parent cb5862fe94
commit 3217100cff
Signed by: netkas
GPG key ID: 4D8629441B76E4CC
1 changed files with 6 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

12
src/FederationServer/Methods/Attachments/DownloadAttachment.php
View file

@ -18,6 +18,12 @@
*/ */
public static function handleRequest(): void public static function handleRequest(): void
{ {
$authenticatedOperator = FederationServer::getAuthenticatedOperator();
if(!Configuration::getServerConfiguration()->isEvidencePublic() && $authenticatedOperator === null)
{
throw new RequestException('Unauthorized: You must be authenticated to download attachments', 401);
}
if(!preg_match('#^/attachments/([a-fA-F0-9\-]{36,})$#', FederationServer::getPath(), $matches)) if(!preg_match('#^/attachments/([a-fA-F0-9\-]{36,})$#', FederationServer::getPath(), $matches))
{ {
throw new RequestException('Attachment UUID required', 405); throw new RequestException('Attachment UUID required', 405);
@ -29,12 +35,6 @@
throw new RequestException('Invalid attachment UUID', 400); throw new RequestException('Invalid attachment UUID', 400);
} }
$authenticatedOperator = FederationServer::getAuthenticatedOperator();
if(!Configuration::getServerConfiguration()->isEvidencePublic() && $authenticatedOperator === null)
{
throw new RequestException('Unauthorized: You must be authenticated to download attachments', 401);
}
try try
{ {
$attachment = FileAttachmentManager::getRecord($attachmentUuid); $attachment = FileAttachmentManager::getRecord($attachmentUuid);