saret/vaultwarden
1
0
Fork 0
mirror of https://github.com/dani-garcia/vaultwarden.git synced 2025-09-10 18:55:57 +03:00
Code Issues Packages Projects Releases Wiki Activity

Add some extra access checks for attachments and groups

Browse Source
This commit is contained in:
Daniel García
2023-07-03 19:58:14 +02:00
parent e7f083dee9
commit 60964c07e6
7 changed files with 101 additions and 28 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/api/web.rs
View File

@@ -5,6 +5,7 @@ use serde_json::Value;
use crate::{
api::{core::now, ApiResult, EmptyResult},
auth::decode_file_download,
error::Error,
util::{Cached, SafeString},
CONFIG,
@@ -91,8 +92,13 @@ async fn web_files(p: PathBuf) -> Cached<Option<NamedFile>> {
Cached::long(NamedFile::open(Path::new(&CONFIG.web_vault_folder()).join(p)).await.ok(), true)
}
#[get("/attachments/<uuid>/<file_id>")]
async fn attachments(uuid: SafeString, file_id: SafeString) -> Option<NamedFile> {
#[get("/attachments/<uuid>/<file_id>?<token>")]
async fn attachments(uuid: SafeString, file_id: SafeString, token: String) -> Option<NamedFile> {
let Ok(claims) = dbg!(decode_file_download(&token)) else { return None };
if claims.sub != *uuid || claims.file_id != *file_id {
return None;
}
NamedFile::open(Path::new(&CONFIG.attachments_folder()).join(uuid).join(file_id)).await.ok()
}