Skip to content

Commit

Permalink
Add verification to authorize get images with X-user-id and X-auth-to…
Browse files Browse the repository at this point in the history 
…ken (#10741)
  • Loading branch information
@MarcosSpessatto @rodrigok
MarcosSpessatto authored and rodrigok committed May 18, 2018
1 parent 0f5cffa commit d6ff269
Showing 1 changed file with 4 additions and 8 deletions.
12 changes: 4 additions & 8 deletions packages/rocketchat-file-upload/server/lib/FileUpload.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -203,17 +203,13 @@ Object.assign(FileUpload, {
let { rc_uid, rc_token } = query;

if (!rc_uid && headers.cookie) {
rc_uid = cookie.get('rc_uid', headers.cookie) ;
rc_uid = cookie.get('rc_uid', headers.cookie);
rc_token = cookie.get('rc_token', headers.cookie);
}

if (!rc_uid || !rc_token || !RocketChat.models.Users.findOneByIdAndLoginToken(rc_uid, rc_token)) {
return false;
}

return true;
const isAuthorizedByCookies = rc_uid && rc_token && RocketChat.models.Users.findOneByIdAndLoginToken(rc_uid, rc_token);
const isAuthorizedByHeaders = headers['x-user-id'] && headers['x-auth-token'] && RocketChat.models.Users.findOneByIdAndLoginToken(headers['x-user-id'], headers['x-auth-token']);
return isAuthorizedByCookies || isAuthorizedByHeaders;
},

addExtensionTo(file) {
if (mime.lookup(file.name) === file.type) {
return file;
Expand Down

0 comments on commit d6ff269

Please sign in to comment.