No permission to get upload via API

[f-krueger]

Describe the bug

When trying to access data uploads via API that was uploaded by userA, userB gets HTTP error 403.

Steps to reproduce

• Add data to experiment by userA
• try to get upload from experiment via API by userB as described in https://doc.elabftw.net/api/#api-Entity-GetUpload
• HTTP 403 error raised

Information

• Version of eLabFTW (visible in bottom right of a page): 3.6.6
• Server operating system (e.g: Ubuntu, CentOS): Debian latest stable
• Docker (yes/no): yes
• Client operating system (e.g: MacOS, Windows, GNU+Linux): Ubuntu
• Browser (e.g. firefox, chrome): not applicable

[NicolasCARPi]

Hello,

It is not a bug per se, it's just how it was coded. I even added a comment to acknowledge my laziness:

// check user owns the file
// we could also check if user has read access to the item
// but for now let's just restrict downloading file via API to owned files
if ((int) $uploadData['userid'] !== (int) $this->Users->userData['userid']) {
       return new Response('You do not have permission to access this resource.', 403);
}

(source)

I'll try and fix that later.

[NicolasCARPi]

This has been fixed!

[m6121]

Are the changes from a27ef8f compatible with the current version 3.6.7 in order to enable download of the attachments prior to the new release version 4?

[NicolasCARPi]

@m6121 yes they are!