Mirror
/
zulip
mirror of https://github.com/zulip/zulip.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

uploads: Allow access to the /download/ variant anonymously. 

This was mistakenly left off of b799ec32b0.
This commit is contained in:
Alex Vandiver 2023-06-07 20:26:04 +00:00 committed by Tim Abbott
parent 0dbe111ab3
commit fbb831ff3b
3 changed files with 15 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
zerver/tests/test_upload.py
View File

@ -263,6 +263,15 @@ class FileUploadTest(UploadSerializeMixin, ZulipTestCase):
response = self.client_get(url)
self.assertEqual(response.status_code, 403)
# Check that the /download/ variant works as well
download_url = url.replace("/user_uploads/", "/user_uploads/download/")
with ratelimit_rule(86400, 1000, domain="spectator_attachment_access_by_file"):
response = self.client_get(download_url)
self.assertEqual(response.status_code, 200)
with ratelimit_rule(86400, 0, domain="spectator_attachment_access_by_file"):
response = self.client_get(download_url)
self.assertEqual(response.status_code, 403)
# Deny random file access
response = self.client_get(
"/user_uploads/2/71/QYB7LA-ULMYEad-QfLMxmI2e/zulip-non-existent.txt"

7
zerver/views/upload.py
View File

@ -137,10 +137,13 @@ def serve_local(
def serve_file_download_backend(
request: HttpRequest, user_profile: UserProfile, realm_id_str: str, filename: str
request: HttpRequest,
maybe_user_profile: Union[UserProfile, AnonymousUser],
realm_id_str: str,
filename: str,
) -> HttpResponseBase:
return serve_file(
request, user_profile, realm_id_str, filename, url_only=False, force_download=True
request, maybe_user_profile, realm_id_str, filename, url_only=False, force_download=True
)

2
zproject/urls.py
View File

@ -646,7 +646,7 @@ urls += [
),
rest_path(
"user_uploads/download/<realm_id_str>/<path:filename>",
GET=(serve_file_download_backend, {"override_api_url_scheme"}),
GET=(serve_file_download_backend, {"override_api_url_scheme", "allow_anonymous_user_web"}),
),
rest_path(
"user_uploads/<realm_id_str>/<path:filename>",