|
|
@@ -13,14 +13,33 @@ module.exports = function(crowi, app) {
|
|
|
const fileUploader = require('../service/file-uploader')(crowi, app);
|
|
|
|
|
|
|
|
|
+ /**
|
|
|
+ * Check the user is accessible to the related page
|
|
|
+ *
|
|
|
+ * @param {User} user
|
|
|
+ * @param {Attachment} attachment
|
|
|
+ */
|
|
|
+ async function isAccessibleByViewer(user, attachment) {
|
|
|
+ if (attachment.page != null) {
|
|
|
+ return await Page.isAccessiblePageByViewer(attachment.page, user);
|
|
|
+ }
|
|
|
+ return true;
|
|
|
+ }
|
|
|
+
|
|
|
/**
|
|
|
* Common method to response
|
|
|
*
|
|
|
* @param {Response} res
|
|
|
+ * @param {User} user
|
|
|
* @param {Attachment} attachment
|
|
|
* @param {boolean} forceDownload
|
|
|
*/
|
|
|
- async function responseForAttachment(res, attachment, forceDownload) {
|
|
|
+ async function responseForAttachment(res, user, attachment, forceDownload) {
|
|
|
+ const isAccessible = await isAccessibleByViewer(user, attachment);
|
|
|
+ if (!isAccessible) {
|
|
|
+ return res.json(ApiResponse.error(`Forbidden to access to the attachment '${attachment.id}'`));
|
|
|
+ }
|
|
|
+
|
|
|
let fileStream;
|
|
|
try {
|
|
|
fileStream = await fileUploader.findDeliveryFile(attachment);
|
|
|
@@ -91,13 +110,7 @@ module.exports = function(crowi, app) {
|
|
|
|
|
|
const attachment = await Attachment.findById(id);
|
|
|
|
|
|
- if (attachment == null) {
|
|
|
- return res.json(ApiResponse.error('attachment not found'));
|
|
|
- }
|
|
|
-
|
|
|
- // TODO for GC-1359: consider restriction
|
|
|
-
|
|
|
- return responseForAttachment(res, attachment, true);
|
|
|
+ return responseForAttachment(res, req.user, attachment, true);
|
|
|
};
|
|
|
|
|
|
/**
|
|
|
@@ -112,13 +125,7 @@ module.exports = function(crowi, app) {
|
|
|
|
|
|
const attachment = await Attachment.findById(id);
|
|
|
|
|
|
- if (attachment == null) {
|
|
|
- return res.json(ApiResponse.error('attachment not found'));
|
|
|
- }
|
|
|
-
|
|
|
- // TODO for GC-1359: consider restriction
|
|
|
-
|
|
|
- return responseForAttachment(res, attachment);
|
|
|
+ return responseForAttachment(res, req.user, attachment);
|
|
|
};
|
|
|
|
|
|
/**
|
|
|
@@ -139,13 +146,7 @@ module.exports = function(crowi, app) {
|
|
|
|
|
|
const attachment = await Attachment.findOne({ filePath });
|
|
|
|
|
|
- if (attachment == null) {
|
|
|
- return res.json(ApiResponse.error('attachment not found'));
|
|
|
- }
|
|
|
-
|
|
|
- // TODO for GC-1359: consider restriction
|
|
|
-
|
|
|
- return responseForAttachment(res, attachment);
|
|
|
+ return responseForAttachment(res, req.user, attachment);
|
|
|
};
|
|
|
|
|
|
/**
|
Yuki Takei