1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-19 20:10:55 +01:00
phorge-phorge/src/applications/files/controller
epriestley 2896da384c Only require POST to fetch file data if the viewer is logged in
Summary:
Ref T11357. In D17611, I added `file.search`, which includes a `"dataURI"`. Partly, this is building toward resolving T8348.

However, in some cases you can't GET this URI because of a security measure:

  - You have not configured `security.alternate-file-domain`.
  - The file isn't web-viewable.
  - (The request isn't an LFS request.)

The goal of this security mechanism is just to protect against session hijacking, so it's also safe to disable it if the viewer didn't present any credentials (since that means there's nothing to hijack). Add that exception, and reorganize the code a little bit.

Test Plan:
  - From the browser (with a session), tried to GET a binary data file. Got redirected.
  - Got a download with POST.
  - From the CLI (without a session), tried to GET a binary data file. Go a download.

Reviewers: chad

Reviewed By: chad

Maniphest Tasks: T11357

Differential Revision: https://secure.phabricator.com/D17613
2017-04-04 16:16:01 -07:00
..
PhabricatorFileComposeController.php When users choose a default project icon, make a permanent file 2016-07-11 09:24:00 -07:00
PhabricatorFileController.php Remove newFromMenu() from SideNav 2016-01-14 05:33:34 -08:00
PhabricatorFileDataController.php Only require POST to fetch file data if the viewer is logged in 2017-04-04 16:16:01 -07:00
PhabricatorFileDeleteController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileDropUploadController.php Provide an <input type="file"> control in Remarkup for mobile and users with esoteric windowing systems 2016-05-20 16:24:22 -07:00
PhabricatorFileEditController.php Move Files editing and commenting to EditEngine 2017-04-04 16:15:11 -07:00
PhabricatorFileIconSetSelectController.php Add more icon choices to Badges 2017-03-03 13:45:53 -08:00
PhabricatorFileImageProxyController.php Fix a bug in the imageproxy controller 2016-09-26 10:44:55 -04:00
PhabricatorFileInfoController.php Move Files editing and commenting to EditEngine 2017-04-04 16:15:11 -07:00
PhabricatorFileLightboxController.php Allow lightbox comments to be viewed logged out 2017-02-13 13:54:13 -08:00
PhabricatorFileListController.php Remove newFromMenu() from SideNav 2016-01-14 05:33:34 -08:00
PhabricatorFileTransformController.php When file transforms race and lose, accept defeat gracefully 2015-05-21 09:42:20 -07:00
PhabricatorFileTransformListController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileUploadController.php Update Files to new UI 2016-04-05 15:58:27 -07:00
PhabricatorFileUploadDialogController.php Allow Pholio mocks to be created and edited without drag-and-drop 2016-06-09 08:43:38 -07:00