Protecting uploaded files

11 years ago · 3fb589c62b
parent 36738515ee
commit 3fb589c62b
4 changed files with 25 additions and 1 deletions
--- a/.meteor/packages
+++ b/.meteor/packages
@ -92,6 +92,7 @@ mrt:reactive-store
 mystor:device-detection
 nimble:restivus
 nooitaf:colors
+ostrio:cookies@2.0.1
 pauli:accounts-linkedin
 perak:codemirror
 percolate:migrations
--- a/.meteor/versions
+++ b/.meteor/versions
@ -101,6 +101,7 @@ oauth1@1.1.5
 oauth2@1.1.5
 observe-sequence@1.0.7
 ordered-dict@1.0.4
+ostrio:cookies@2.0.1
 pauli:accounts-linkedin@1.1.2
 pauli:linkedin@1.1.2
 perak:codemirror@1.2.8
--- a/lib/fileUpload.coffee
+++ b/lib/fileUpload.coffee
@ -31,6 +31,12 @@ if UploadFS?
 		return false;

 	initFileStore = ->
+		cookie = new Cookies()
+		if Meteor.isClient
+			cookie.set 'rc_uid', Meteor.userId();
+			cookie.set 'rc_token', Meteor._localStorage.getItem('Meteor.loginToken')
+			cookie.send()
+
 		Meteor.fileStore = new UploadFS.store.GridFS
 			collection: fileCollection
 			name: 'rocketchat_uploads'
@ -41,12 +47,21 @@ if UploadFS?
 			onFinishUpload: ->
 				console.log arguments
 			onRead: (fileId, file, req, res) ->
+				if RocketChat.settings.get 'FileUpload_ProtectFiles'
+					rawCookies = req.headers.cookie if req?.headers?.cookie?
+					uid = cookie.get('rc_uid', rawCookies) if rawCookies?
+					token = cookie.get('rc_token', rawCookies) if rawCookies?
+
+					unless uid and token and RocketChat.models.Users.findOneByIdAndLoginToken(uid, token)
+						throw new Meteor.Error 403, 'Not Allowed'
+
 				res.setHeader 'content-disposition', "attachment; filename=\"#{ encodeURIComponent(file.name) }\""

+Meteor.startup ->
 	if Meteor.isServer
 		initFileStore()
 	else
 		Tracker.autorun (c) ->
-			if RocketChat.settings.subscription.ready()
+			if Meteor.userId() and RocketChat.settings.subscription.ready()
 				initFileStore()
 				c.stop()
--- a/packages/rocketchat-lib/server/models/Users.coffee
+++ b/packages/rocketchat-lib/server/models/Users.coffee
@ -34,6 +34,13 @@ RocketChat.models.Users = new class extends RocketChat.models._Base

 		return @findOne query, options

+	findOneByIdAndLoginToken: (_id, token, options) ->
+		query =
+			_id: _id
+			'services.resume.loginTokens.hashedToken' : Accounts._hashLoginToken(token)
+
+		return @findOne query, options
+

 	# FIND
 	findUsersNotOffline: (options) ->