5 лет назад · 438d88c300
--- a/src/server/middlewares/certify-shared-file.js
+++ b/src/server/middlewares/certify-shared-file.js
@@ -0,0 +1,46 @@
 
				+const loggerFactory = require('@alias/logger');
			
 
				+const url = require('url');
			
 
				+
			
 
				+const logger = loggerFactory('growi:middleware:certify-shared-fire');
			
 
				+
			
 
				+module.exports = (crowi) => {
			
 
				+
			
 
				+  return async(req, res, next) => {
			
 
				+    const { referer } = req.headers;
			
 
				+    const { path } = url.parse(referer);
			
 
				+
			
 
				+    if (!path.startsWith('/share/')) {
			
 
				+      next();
			
 
				+    }
			
 
				+
			
 
				+    const fileId = req.params.id || null;
			
 
				+
			
 
				+    const Attachment = crowi.model('Attachment');
			
 
				+    const ShareLink = crowi.model('ShareLink');
			
 
				+
			
 
				+    const attachment = await Attachment.findOne({ _id: fileId });
			
 
				+
			
 
				+    if (attachment == null) {
			
 
				+      next();
			
 
				+    }
			
 
				+
			
 
				+    const shareLinks = await ShareLink.find({ relatedPage: attachment.page });
			
 
				+
			
 
				+    // If sharelinks don't exist, skip it
			
 
				+    if (shareLinks.length === 0) {
			
 
				+      next();
			
 
				+    }
			
 
				+
			
 
				+    // Is there a valid share link
			
 
				+    shareLinks.map((sharelink) => {
			
 
				+      if (!sharelink.isExpired()) {
			
 
				+        logger.debug('Confirmed target file belong to a share page');
			
 
				+        req.isSharedPage = true;
			
 
				+      }
			
 
				+      return;
			
 
				+    });
			
 
				+
			
 
				+    next();
			
 
				+  };
			
 
				+
			
 
				+};
			
--- a/src/server/routes/index.js
+++ b/src/server/routes/index.js
@@ -11,6 +11,7 @@ module.exports = function(crowi, app) {
 
				   const loginRequired = require('../middlewares/login-required')(crowi, true);
			
 
				   const adminRequired = require('../middlewares/admin-required')(crowi);
			
 
				   const certifySharedPage = require('../middlewares/certify-shared-page')(crowi);
			
 
				+  const certifySharedFile = require('../middlewares/certify-shared-file')(crowi);
			
 
				   const csrf = require('../middlewares/csrf')(crowi);
			
 
				 
			
 
				   const uploads = multer({ dest: `${crowi.tmpDir}uploads` });
			
@@ -121,7 +122,7 @@ module.exports = function(crowi, app) {
 
				 
			
 
				   app.get('/:id([0-9a-z]{24})'       , loginRequired , page.redirector);
			
 
				   app.get('/_r/:id([0-9a-z]{24})'    , loginRequired , page.redirector); // alias
			
 
				-  app.get('/attachment/:id([0-9a-z]{24})'  , loginRequired, attachment.api.get);
			
 
				+  app.get('/attachment/:id([0-9a-z]{24})' , certifySharedFile , loginRequired, attachment.api.get);
			
 
				   app.get('/attachment/profile/:id([0-9a-z]{24})' , loginRequired, attachment.api.get);
			
 
				   app.get('/attachment/:pageId/:fileName', loginRequired, attachment.api.obsoletedGetForMongoDB); // DEPRECATED: remains for backward compatibility for v3.3.x or below
			
 
				   app.get('/download/:id([0-9a-z]{24})'    , loginRequired, attachment.api.download);