Only require POST to fetch file data if the viewer is logged in
ClosedPublic
Actions

Authored by epriestley on Apr 4 2017, 4:10 PM.

Details

Reviewers

chad

Maniphest Tasks

T11357: Move Files to EditEngine and modern APIs

Commits

rP2896da384cb7: Only require POST to fetch file data if the viewer is logged in

Summary

Ref T11357. In D17611, I added file.search, which includes a "dataURI". Partly, this is building toward resolving T8348.

However, in some cases you can't GET this URI because of a security measure:

You have not configured security.alternate-file-domain.
The file isn't web-viewable.
(The request isn't an LFS request.)

The goal of this security mechanism is just to protect against session hijacking, so it's also safe to disable it if the viewer didn't present any credentials (since that means there's nothing to hijack). Add that exception, and reorganize the code a little bit.

Test Plan

From the browser (with a session), tried to GET a binary data file. Got redirected.
Got a download with POST.
From the CLI (without a session), tried to GET a binary data file. Go a download.