2020-04-22 23:03:18 +00:00
parent 9a37bba71d
commit d6420720db
1 changed files with 7 additions and 14 deletions
--- a/server/AyaNova/Controllers/AttachmentController.cs
+++ b/server/AyaNova/Controllers/AttachmentController.cs
@@ -318,25 +318,17 @@ namespace AyaNova.Api.Controllers

            //get user by key, if not found then reject
            //If user dlkeyexp has not expired then return file
-            var dlkeyUser = await ct.User.SingleOrDefaultAsync(m => m.DlKey == t && m.Active == true);
-            if (dlkeyUser == null)
-            {
-                await Task.Delay(nFailedAuthDelay);//DOS protection
-                return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
-            }
-
-            //Make sure the token provided is for the current user
-            //bugbug: Is this not a bug, there's no way to set this properly is there?
-            long UserId = UserIdFromContext.Id(HttpContext.Items);
-            if (UserId != dlkeyUser.Id)
+            var DownloadUser = await ct.User.AsNoTracking().SingleOrDefaultAsync(m => m.DlKey == t && m.Active == true);
+            if (DownloadUser == null)
            {
                await Task.Delay(nFailedAuthDelay);//DOS protection
                return StatusCode(401, new ApiErrorResponse(ApiErrorCode.AUTHENTICATION_FAILED));
            }

+            //TODO: EVENT LOG THIS SHIT

            var utcNow = new DateTimeOffset(DateTime.Now.ToUniversalTime(), TimeSpan.Zero);
-            if (dlkeyUser.DlKeyExpire < utcNow.DateTime)
+            if (DownloadUser.DlKeyExpire < utcNow.DateTime)
            {

                await Task.Delay(nFailedAuthDelay);//DOS protection
@@ -351,8 +343,9 @@ namespace AyaNova.Api.Controllers
                return NotFound(new ApiErrorResponse(ApiErrorCode.NOT_FOUND));
            }

+
            //is this allowed?
-            if (!Authorized.HasReadFullRole(HttpContext.Items, dbObj.AttachToObjectType))
+            if (!Authorized.HasReadFullRole(DownloadUser.Roles, dbObj.AttachToObjectType))
            {
                await Task.Delay(nFailedAuthDelay);//DOS protection
                return StatusCode(403, new ApiNotAuthorizedResponse());
@@ -373,7 +366,7 @@ namespace AyaNova.Api.Controllers
            }

            //Log
-            await EventLogProcessor.LogEventToDatabaseAsync(new Event(UserId, dbObj.AttachToObjectId, dbObj.AttachToObjectType, AyaEvent.AttachmentDownload, dbObj.DisplayFileName), ct);
+            await EventLogProcessor.LogEventToDatabaseAsync(new Event(DownloadUser.Id, dbObj.AttachToObjectId, dbObj.AttachToObjectType, AyaEvent.AttachmentDownload, dbObj.DisplayFileName), ct);

            return PhysicalFile(filePath, mimetype, dbObj.DisplayFileName);