|
@@ -64,8 +64,9 @@ func (c *FileController) validateFileCreateOrUpdateReq(userID int64, file ente.F
|
|
|
if !strings.HasPrefix(file.File.ObjectKey, objectPathPrefix) || !strings.HasPrefix(file.Thumbnail.ObjectKey, objectPathPrefix) {
|
|
if !strings.HasPrefix(file.File.ObjectKey, objectPathPrefix) || !strings.HasPrefix(file.Thumbnail.ObjectKey, objectPathPrefix) {
|
|
|
return stacktrace.Propagate(ente.ErrBadRequest, "Incorrect object key reported")
|
|
return stacktrace.Propagate(ente.ErrBadRequest, "Incorrect object key reported")
|
|
|
}
|
|
}
|
|
|
|
|
+ isCreateFileReq := file.ID == 0
|
|
|
// Check for attributes for fileCreation. We don't send key details on update
|
|
// Check for attributes for fileCreation. We don't send key details on update
|
|
|
- if file.ID == 0 {
|
|
|
|
|
|
|
+ if isCreateFileReq {
|
|
|
if file.EncryptedKey == "" || file.KeyDecryptionNonce == "" {
|
|
if file.EncryptedKey == "" || file.KeyDecryptionNonce == "" {
|
|
|
return stacktrace.Propagate(ente.ErrBadRequest, "EncryptedKey and KeyDecryptionNonce are required")
|
|
return stacktrace.Propagate(ente.ErrBadRequest, "EncryptedKey and KeyDecryptionNonce are required")
|
|
|
}
|
|
}
|
|
@@ -76,17 +77,22 @@ func (c *FileController) validateFileCreateOrUpdateReq(userID int64, file ente.F
|
|
|
if file.UpdationTime == 0 {
|
|
if file.UpdationTime == 0 {
|
|
|
return stacktrace.Propagate(ente.ErrBadRequest, "UpdationTime is required")
|
|
return stacktrace.Propagate(ente.ErrBadRequest, "UpdationTime is required")
|
|
|
}
|
|
}
|
|
|
- collection, err := c.CollectionRepo.Get(file.CollectionID)
|
|
|
|
|
- if err != nil {
|
|
|
|
|
- return stacktrace.Propagate(err, "")
|
|
|
|
|
- }
|
|
|
|
|
- // Verify that user owns the collection.
|
|
|
|
|
- // Warning: Do not remove this check
|
|
|
|
|
- if collection.Owner.ID != userID || file.OwnerID != userID {
|
|
|
|
|
- return stacktrace.Propagate(ente.ErrPermissionDenied, "")
|
|
|
|
|
|
|
+ if isCreateFileReq {
|
|
|
|
|
+ collection, err := c.CollectionRepo.Get(file.CollectionID)
|
|
|
|
|
+ if err != nil {
|
|
|
|
|
+ return stacktrace.Propagate(err, "")
|
|
|
|
|
+ }
|
|
|
|
|
+ // Verify that user owns the collection.
|
|
|
|
|
+ // Warning: Do not remove this check
|
|
|
|
|
+ if collection.Owner.ID != userID {
|
|
|
|
|
+ return stacktrace.Propagate(ente.ErrPermissionDenied, "collection doesn't belong to user")
|
|
|
|
|
+ }
|
|
|
|
|
+ if collection.IsDeleted {
|
|
|
|
|
+ return stacktrace.Propagate(ente.ErrNotFound, "collection has been deleted")
|
|
|
|
|
+ }
|
|
|
}
|
|
}
|
|
|
- if collection.IsDeleted {
|
|
|
|
|
- return stacktrace.Propagate(ente.ErrNotFound, "collection has been deleted")
|
|
|
|
|
|
|
+ if file.OwnerID != userID {
|
|
|
|
|
+ return stacktrace.Propagate(ente.ErrPermissionDenied, "file ownerID doesn't match with userID")
|
|
|
}
|
|
}
|
|
|
return nil
|
|
return nil
|
|
|
}
|
|
}
|
Neeraj Gupta