[
https://issues.apache.org/jira/browse/JAMES-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Antoine Duprat resolved JAMES-2145.
-----------------------------------
Resolution: Fixed
merged
> Ensure security of the download attachment endpoint
> ---------------------------------------------------
>
> Key: JAMES-2145
> URL: https://issues.apache.org/jira/browse/JAMES-2145
> Project: James Server
> Issue Type: Task
> Reporter: Quynh Nguyen
>
> We introduced the attachmentId -> messageIds relation populated with existing
> data.
> We can now implement attachment download access checking.
> Here are the steps:
> - Retrieve the messageId associated with the given attachmentId through the
> MessageIdManager.
> - Retrieve the MailboxMessages (FetchType Metatdata) through
> MessageIdManager. If not empty then we have a user message referencing the
> attachment and thus can serve it. Otherwise we pretend the attachment don't
> exist.
> - If allowed, serve the attachment.
> The security should be enforced at the AttachmentManager layer.
> Acceptance criteria : Integration tests on JMAP: check downloading someone
> else attachment returns not found.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org
For additional commands, e-mail: server-dev-h...@james.apache.org
