Allow token as authorization for accessing attachments (#7909)
* Allow token as authorization for accessing attachments Signed-off-by: David Svantesson <davidsvantesson@gmail.com> * Only allow token authentication for attachments if it is a download (GET)
This commit is contained in:
parent
70d2244e49
commit
ce45a8c257
|
@ -29,6 +29,11 @@ func IsAPIPath(url string) bool {
|
||||||
return strings.HasPrefix(url, "/api/")
|
return strings.HasPrefix(url, "/api/")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// IsAttachmentDownload check if request is a file download (GET) with URL to an attachment
|
||||||
|
func IsAttachmentDownload(ctx *macaron.Context) bool {
|
||||||
|
return strings.HasPrefix(ctx.Req.URL.Path, "/attachments/") && ctx.Req.Method == "GET"
|
||||||
|
}
|
||||||
|
|
||||||
// SignedInID returns the id of signed in user.
|
// SignedInID returns the id of signed in user.
|
||||||
func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
|
func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
|
||||||
if !models.HasEngine {
|
if !models.HasEngine {
|
||||||
|
@ -36,7 +41,7 @@ func SignedInID(ctx *macaron.Context, sess session.Store) int64 {
|
||||||
}
|
}
|
||||||
|
|
||||||
// Check access token.
|
// Check access token.
|
||||||
if IsAPIPath(ctx.Req.URL.Path) {
|
if IsAPIPath(ctx.Req.URL.Path) || IsAttachmentDownload(ctx) {
|
||||||
tokenSHA := ctx.Query("token")
|
tokenSHA := ctx.Query("token")
|
||||||
if len(tokenSHA) == 0 {
|
if len(tokenSHA) == 0 {
|
||||||
tokenSHA = ctx.Query("access_token")
|
tokenSHA = ctx.Query("access_token")
|
||||||
|
|
Loading…
Reference in a new issue