BugFix

packages/growi-plugin-attachment-refs/src/client/js/components/AttachmentList.jsx

@@ -20,6 +20,7 @@ export default class AttachmentList extends React.Component {
 
     this.state = {
       isLoading: true,
+      isError: false,
       errorMessage: null,
 
       attachments: [],
@@ -58,15 +59,14 @@ export default class AttachmentList extends React.Component {
         },
       });
 
-      if (res.status === 200) {
-        this.setState({
-          attachments: [res.data.attachment],
-        });
-      }
+      this.setState({
+        attachments: [res.data.attachment],
+      });
     }
     catch (err) {
       this.setState({
-        errorMessage: err,
+        isError: true,
+        errorMessage: err.response.data,
       });
     }
     finally {

packages/growi-plugin-attachment-refs/src/server/routes/refs.js

@@ -23,32 +23,38 @@ module.exports = (crowi) => {
       return;
     }
 
-    try {
-      const attachment = await Attachment.findOne({ originalName: fileName })
-        .populate({ path: 'creator', select: User.USER_PUBLIC_FIELDS, populate: User.IMAGE_POPULATION });
-
-      // not found
-      if (attachment == null) {
-        res.status(404).send(`fileName: '${fileName}' is not found.`);
-        return;
-      }
-
-      logger.debug(`attachment '${attachment.id}' is found from filename '${fileName}'`);
-
-      // forbidden
-      const isAccessible = await Page.isAccessiblePageByViewer(attachment.page, user);
-      if (!isAccessible) {
-        logger.debug(`attachment '${attachment.id}' is forbidden for user '${user && user.username}'`);
-        res.status(403).send(`page '${attachment.page}' is forbidden.`);
-        return;
-      }
-
-      res.status(200).send({ attachment });
+    const page = await Page.findByPathAndViewer(pagePath, user);
+
+    // not found
+    if (page == null) {
+      res.status(404).send(`pagePath: '${pagePath}' is not found or forbidden.`);
+      return;
+    }
+
+    const attachment = await Attachment
+      .findOne({
+        page: page._id,
+        originalName: fileName,
+      })
+      .populate({ path: 'creator', select: User.USER_PUBLIC_FIELDS, populate: User.IMAGE_POPULATION });
+
+    // not found
+    if (attachment == null) {
+      res.status(404).send(`fileName: '${fileName}' is not found.`);
+      return;
     }
-    catch (err) {
-      logger.error(err);
-      res.status(503).send({ err });
+
+    logger.debug(`attachment '${attachment.id}' is found from filename '${fileName}'`);
+
+    // forbidden
+    const isAccessible = await Page.isAccessiblePageByViewer(attachment.page, user);
+    if (!isAccessible) {
+      logger.debug(`attachment '${attachment.id}' is forbidden for user '${user && user.username}'`);
+      res.status(403).send(`page '${attachment.page}' is forbidden.`);
+      return;
     }
+
+    res.status(200).send({ attachment });
   });
 
   return router;