Merge pull request #2702 from mattermost/gh-2678-shared-files

GH-2678 Update handleServeFile to allow readtoken
2024-12-03 08:45:40 +02:00 · 2022-03-31 16:34:21 -06:00 · 2022-03-31 16:34:21 -06:00 · 2d356c696b
commit 2d356c696b
parent d972cac4a1 c098eda254
1 changed files with 10 additions and 9 deletions
--- a/server/api/api.go
+++ b/server/api/api.go
@ -1824,7 +1824,7 @@ func (a *API) handlePostTeamRegenerateSignupToken(w http.ResponseWriter, r *http
 // File upload

 func (a *API) handleServeFile(w http.ResponseWriter, r *http.Request) {
-	// swagger:operation GET /boards/{boardID}/{rootID}/{fileID} getFile
+	// swagger:operation GET "api/v1/files/teams/{teamID}/{boardID}/{filename} getFile
 	//
 	// Returns the contents of an uploaded file
 	//
@ -1835,19 +1835,19 @@ func (a *API) handleServeFile(w http.ResponseWriter, r *http.Request) {
 	// - image/png
 	// - image/gif
 	// parameters:
+	// - name: teamID
+	//   in: path
+	//   description: Team ID
+	//   required: true
+	//   type: string
 	// - name: boardID
 	//   in: path
 	//   description: Board ID
 	//   required: true
 	//   type: string
-	// - name: rootID
+	// - name: filename
 	//   in: path
-	//   description: ID of the root block
-	//   required: true
-	//   type: string
-	// - name: fileID
-	//   in: path
-	//   description: ID of the file
+	//   description: name of the file
 	//   required: true
 	//   type: string
 	// security:
@ -1865,7 +1865,8 @@ func (a *API) handleServeFile(w http.ResponseWriter, r *http.Request) {
 	filename := vars["filename"]
 	userID := getUserID(r)

-	if !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionViewBoard) {
+	hasValidReadToken := a.hasValidReadTokenForBoard(r, boardID)
+	if !hasValidReadToken && !a.permissions.HasPermissionToBoard(userID, boardID, model.PermissionViewBoard) {
 		a.errorResponse(w, r.URL.Path, http.StatusForbidden, "", PermissionError{"access denied to board"})
 		return
 	}