diff --git a/app/controllers/api/storage.php b/app/controllers/api/storage.php index 98a5b105a3..c6e242296b 100644 --- a/app/controllers/api/storage.php +++ b/app/controllers/api/storage.php @@ -967,6 +967,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview') throw new Exception(Exception::GENERAL_SERVER_ERROR, 'Imagick extension is missing'); } + /* @type Document $bucket */ $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $isAPIKey = Auth::isAppUser(Authorization::getRoles()); @@ -987,6 +988,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/preview') if ($fileSecurity && !$valid && !$isToken) { $file = $dbForProject->getDocument('bucket_' . $bucket->getSequence(), $fileId); } else { + /* @type Document $file */ $file = Authorization::skip(fn () => $dbForProject->getDocument('bucket_' . $bucket->getSequence(), $fileId)); } @@ -1157,7 +1159,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/download') ->inject('resourceToken') ->inject('deviceForFiles') ->action(function (string $bucketId, string $fileId, ?string $token, Request $request, Response $response, Database $dbForProject, string $mode, Document $resourceToken, Device $deviceForFiles) { - + /* @type Document $bucket */ $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $isAPIKey = Auth::isAppUser(Authorization::getRoles()); @@ -1175,9 +1177,10 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/download') throw new Exception(Exception::USER_UNAUTHORIZED); } - if ($fileSecurity && !$valid) { + if ($fileSecurity && !$valid && !$isToken) { $file = $dbForProject->getDocument('bucket_' . $bucket->getSequence(), $fileId); } else { + /* @type Document $file */ $file = Authorization::skip(fn () => $dbForProject->getDocument('bucket_' . $bucket->getSequence(), $fileId)); } @@ -1317,6 +1320,7 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/view') ->inject('resourceToken') ->inject('deviceForFiles') ->action(function (string $bucketId, string $fileId, ?string $token, Response $response, Request $request, Database $dbForProject, string $mode, Document $resourceToken, Device $deviceForFiles) { + /* @type Document $bucket */ $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $isAPIKey = Auth::isAppUser(Authorization::getRoles()); @@ -1334,9 +1338,10 @@ App::get('/v1/storage/buckets/:bucketId/files/:fileId/view') throw new Exception(Exception::USER_UNAUTHORIZED); } - if ($fileSecurity && !$valid) { + if ($fileSecurity && !$valid && !$isToken) { $file = $dbForProject->getDocument('bucket_' . $bucket->getSequence(), $fileId); } else { + /* @type Document $file */ $file = Authorization::skip(fn () => $dbForProject->getDocument('bucket_' . $bucket->getSequence(), $fileId)); } diff --git a/app/controllers/shared/api.php b/app/controllers/shared/api.php index 76fe177b0b..86fb1e5822 100644 --- a/app/controllers/shared/api.php +++ b/app/controllers/shared/api.php @@ -576,7 +576,6 @@ App::init() $bucket = Authorization::skip(fn () => $dbForProject->getDocument('buckets', $bucketId)); $isToken = !$resourceToken->isEmpty() && $resourceToken->getAttribute('bucketInternalId') === $bucket->getSequence(); - $isAPIKey = Auth::isAppUser(Authorization::getRoles()); $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles()); if ($bucket->isEmpty() || (!$bucket->getAttribute('enabled') && !$isAppUser && !$isPrivilegedUser)) { diff --git a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Action.php b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Action.php index bcefaf353f..5708f1b83b 100644 --- a/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Action.php +++ b/src/Appwrite/Platform/Modules/Tokens/Http/Tokens/Buckets/Files/Action.php @@ -37,6 +37,7 @@ class Action extends UtopiaAction if ($file->isEmpty()) { throw new Exception(Exception::STORAGE_FILE_NOT_FOUND); } + return [ 'bucket' => $bucket, 'file' => $file, diff --git a/tests/e2e/Services/Tokens/TokensBase.php b/tests/e2e/Services/Tokens/TokensBase.php index af93f5fc73..a4461c06c2 100644 --- a/tests/e2e/Services/Tokens/TokensBase.php +++ b/tests/e2e/Services/Tokens/TokensBase.php @@ -5,6 +5,8 @@ namespace Tests\E2E\Services\Tokens; use CURLFile; use Tests\E2E\Client; use Utopia\Database\Helpers\ID; +use Utopia\Database\Helpers\Permission; +use Utopia\Database\Helpers\Role; trait TokensBase { @@ -275,4 +277,88 @@ trait TokensBase $this->assertEquals($image->getImageHeight(), $original->getImageHeight()); $this->assertEquals('PNG', $image->getImageFormat()); } + + public function testFileAccessWithFileSecurity(): void + { + $bucket = $this->client->call( + Client::METHOD_POST, + '/storage/buckets', + [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ], + [ + 'name' => 'Test Bucket', + 'bucketId' => ID::unique(), + 'fileSecurity' => true, + 'allowedFileExtensions' => ['jpg', 'png', 'jfif'], + ] + ); + + $this->assertEquals(201, $bucket['headers']['status-code']); + $this->assertNotEmpty($bucket['body']['$id']); + + $bucketId = $bucket['body']['$id']; + + $file = $this->client->call( + Client::METHOD_POST, + '/storage/buckets/' . $bucketId . '/files', + [ + 'content-type' => 'multipart/form-data', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ], + [ + 'fileId' => ID::unique(), + 'permissions' => [ Permission::read(Role::label('devrel')) ], + 'file' => new CURLFile(realpath(__DIR__ . '/../../../resources/logo.png'), 'image/png', 'logo.png'), + ] + ); + + $fileId = $file['body']['$id']; + + $token = $this->client->call( + Client::METHOD_POST, + '/tokens/buckets/' . $bucketId . '/files/' . $fileId, + [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + 'x-appwrite-key' => $this->getProject()['apiKey'], + ] + ); + + $jwtToken = $token['body']['secret']; + + $endpoints = ['preview', 'view', 'download']; + + foreach ($endpoints as $endpoint) { + $response = $this->client->call( + Client::METHOD_GET, + "/storage/buckets/$bucketId/files/$fileId/$endpoint", + [ + 'content-type' => 'application/json', + 'x-appwrite-project' => $this->getProject()['$id'], + ], + [ + 'token' => $jwtToken + ] + ); + + $this->assertNotEmpty($response['body']); + $this->assertEquals(200, $response['headers']['status-code']); + $this->assertEquals('image/png', $response['headers']['content-type']); + + if ($endpoint === 'download') { + $image = new \Imagick(); + $image->readImageBlob($response['body']); + $original = new \Imagick(__DIR__ . '/../../../resources/logo.png'); + + $this->assertEquals($original->getImageWidth(), $image->getImageWidth()); + $this->assertEquals($original->getImageHeight(), $image->getImageHeight()); + $this->assertEquals('PNG', $image->getImageFormat()); + } + } + + } }