You are viewing a plain text version of this content. The canonical link for it is here.
Posted to server-dev@james.apache.org by "Antoine Duprat (JIRA)" <se...@james.apache.org> on 2017/09/20 20:40:00 UTC
[jira] [Closed] (JAMES-2145) Ensure security of the download
attachment endpoint
[ https://issues.apache.org/jira/browse/JAMES-2145?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Antoine Duprat closed JAMES-2145.
---------------------------------
> Ensure security of the download attachment endpoint
> ---------------------------------------------------
>
> Key: JAMES-2145
> URL: https://issues.apache.org/jira/browse/JAMES-2145
> Project: James Server
> Issue Type: Task
> Reporter: Quynh Nguyen
>
> We introduced the attachmentId -> messageIds relation populated with existing data.
> We can now implement attachment download access checking.
> Here are the steps:
> - Retrieve the messageId associated with the given attachmentId through the MessageIdManager.
> - Retrieve the MailboxMessages (FetchType Metatdata) through MessageIdManager. If not empty then we have a user message referencing the attachment and thus can serve it. Otherwise we pretend the attachment don't exist.
> - If allowed, serve the attachment.
> The security should be enforced at the AttachmentManager layer.
> Acceptance criteria : Integration tests on JMAP: check downloading someone else attachment returns not found.
--
This message was sent by Atlassian JIRA
(v6.4.14#64029)
---------------------------------------------------------------------
To unsubscribe, e-mail: server-dev-unsubscribe@james.apache.org
For additional commands, e-mail: server-dev-help@james.apache.org