You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Quynh Nguyen (JIRA)" <se...@james.apache.org> on 2017/09/19 03:32:00 UTC
[jira] [Created] (JAMES-2145) Ensure security of the download
attachment endpoint
Quynh Nguyen created JAMES-2145:
-----------------------------------
Summary: Ensure security of the download attachment endpoint
Key: JAMES-2145
URL: https://issues.apache.org/jira/browse/JAMES-2145
Project: James Server
Issue Type: Task
Reporter: Quynh Nguyen
We introduced the attachmentId -> messageIds relation populated with existing data.
We can now implement attachment download access checking.
Here are the steps:
- Retrieve the messageId associated with the given attachmentId through the MessageIdManager.
- Retrieve the MailboxMessages (FetchType Metatdata) through MessageIdManager. If not empty then we have a user message referencing the attachment and thus can serve it. Otherwise we pretend the attachment don't exist.
- If allowed, serve the attachment.
The security should be enforced at the AttachmentManager layer.
Acceptance criteria : Integration tests on JMAP: check downloading someone else attachment returns not found.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org