[ https://issues.apache.org/jira/browse/JAMES-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antoine Duprat resolved JAMES-2145. ----------------------------------- Resolution: Fixed merged > Ensure security of the download attachment endpoint > --------------------------------------------------- > > Key: JAMES-2145 > URL: https://issues.apache.org/jira/browse/JAMES-2145 > Project: James Server > Issue Type: Task > Reporter: Quynh Nguyen > > We introduced the attachmentId -> messageIds relation populated with existing > data. > We can now implement attachment download access checking. > Here are the steps: > - Retrieve the messageId associated with the given attachmentId through the > MessageIdManager. > - Retrieve the MailboxMessages (FetchType Metatdata) through > MessageIdManager. If not empty then we have a user message referencing the > attachment and thus can serve it. Otherwise we pretend the attachment don't > exist. > - If allowed, serve the attachment. > The security should be enforced at the AttachmentManager layer. > Acceptance criteria : Integration tests on JMAP: check downloading someone > else attachment returns not found. -- This message was sent by Atlassian JIRA (v6.4.14#64029) --------------------------------------------------------------------- To unsubscribe, e-mail: server-dev-unsubscr...@james.apache.org For additional commands, e-mail: server-dev-h...@james.apache.org