You are viewing a plain text version of this content. The canonical link for it is here.

Posted to server-dev@james.apache.org by "Quynh Nguyen (JIRA)" <se...@james.apache.org> on 2017/09/19 03:32:00 UTC

[jira] [Created] (JAMES-2145) Ensure security of the download attachment endpoint

Quynh Nguyen created JAMES-2145:
-----------------------------------

             Summary: Ensure security of the download attachment endpoint
                 Key: JAMES-2145
                 URL: https://issues.apache.org/jira/browse/JAMES-2145
             Project: James Server
          Issue Type: Task
            Reporter: Quynh Nguyen


We introduced the attachmentId -> messageIds relation populated with existing data.

We can now implement attachment download access checking.

Here are the steps:

- Retrieve the messageId associated with the given attachmentId through the MessageIdManager.
- Retrieve the MailboxMessages (FetchType Metatdata) through MessageIdManager. If not empty then we have a user message referencing the attachment and thus can serve it. Otherwise we pretend the attachment don't exist.
- If allowed, serve the attachment.

The security should be enforced at the AttachmentManager layer.
Acceptance criteria : Integration tests on JMAP: check downloading someone else attachment returns not found.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org