diff --git a/server/AyaNova/Controllers/AttachmentController.cs b/server/AyaNova/Controllers/AttachmentController.cs
index 0ef9ffb6..e6b26f5c 100644
--- a/server/AyaNova/Controllers/AttachmentController.cs
+++ b/server/AyaNova/Controllers/AttachmentController.cs
@@ -318,25 +318,17 @@ namespace AyaNova.Api.Controllers
 
             //get user by key, if not found then reject
             //If user dlkeyexp has not expired then return file
-            var dlkeyUser = await ct.User.SingleOrDefaultAsync(m => m.DlKey == t && m.Active == true);
-            if (dlkeyUser == null)
-            {
-                await Task.Delay(nFailedAuthDelay);//DOS protection
-                return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
-            }
-
-            //Make sure the token provided is for the current user
-            //bugbug: Is this not a bug, there's no way to set this properly is there?
-            long UserId = UserIdFromContext.Id(HttpContext.Items);
-            if (UserId != dlkeyUser.Id)
+            var DownloadUser = await ct.User.AsNoTracking().SingleOrDefaultAsync(m => m.DlKey == t && m.Active == true);
+            if (DownloadUser == null)
             {
                 await Task.Delay(nFailedAuthDelay);//DOS protection
                 return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
             }
 
+            //TODO: EVENT LOG THIS SHIT
 
             var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);
-            if (dlkeyUser.DlKeyExpire < utcNow.DateTime)
+            if (DownloadUser.DlKeyExpire < utcNow.DateTime)
             {
 
                 await Task.Delay(nFailedAuthDelay);//DOS protection
@@ -351,8 +343,9 @@ namespace AyaNova.Api.Controllers
                 return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
             }
 
+
             //is this allowed?
-            if (!Authorized.HasReadFullRole(HttpContext.Items, dbObj.AttachToObjectType))
+            if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObj.AttachToObjectType))
             {
                 await Task.Delay(nFailedAuthDelay);//DOS protection
                 return StatusCode(403, new ApiNotAuthorizedResponse());
@@ -373,7 +366,7 @@ namespace AyaNova.Api.Controllers
             }
 
             //Log
-            await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObj.AttachToObjectId, dbObj.AttachToObjectType, AyaEvent.AttachmentDownload, dbObj.DisplayFileName), ct);
+            await EventLogProcessor.LogEventToDatabaseAsync(new Event(DownloadUser.Id, dbObj.AttachToObjectId, dbObj.AttachToObjectType, AyaEvent.AttachmentDownload, dbObj.DisplayFileName), ct);
 
             return PhysicalFile(filePath, mimetype, dbObj.DisplayFileName);