Quynh Nguyen created JAMES-2145:
-----------------------------------
Summary: Ensure security of the download attachment endpoint
Key: JAMES-2145
URL: https://issues.apache.org/jira/browse/JAMES-2145
Project: James Server
Issue Type: Task
Reporter: Quynh Nguyen
We introduced the attachmentId -> messageIds relation populated with existing
data.
We can now implement attachment download access checking.
Here are the steps:
- Retrieve the messageId associated with the given attachmentId through the
MessageIdManager.
- Retrieve the MailboxMessages (FetchType Metatdata) through MessageIdManager.
If not empty then we have a user message referencing the attachment and thus
can serve it. Otherwise we pretend the attachment don't exist.
- If allowed, serve the attachment.
The security should be enforced at the AttachmentManager layer.
Acceptance criteria : Integration tests on JMAP: check downloading someone else
attachment returns not found.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
