New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Access control does not prevent access to files in private resources from unauthenticated user #328
Comments
The view for download does not check permissions in anyway. It also reads the entire file contents into memory before responding. This is extremely expensive and quite possibly dangerous. |
I would recommend looking into a solution that utilizes the X-Sendfile header to pass the instruction along to the webserver directly to handle the response of the file contents more efficiently, upon verification of the requester being authorized. |
Fix to this is pushed to github and a pull request is created to be merged into dev for testing. |
Tested on alpha and it is working now. Set it to ready for testing and assign milestone 1.5.0 since it is already included on alpha and working. |
Tested on alpha. Closing. |
The fix to this issue introduced a regression error that prevents users from downloading bags. Reopen this issue and will make a further fix to fix this regression error. |
This underscores the need for more thorough automated testing. My testing of this tested that the file was not delivered to a user that did not have permissions and a direct link was entered. However it did not test everything else, and it is impossible for manual tests to always test everything else. I do not know if a unit test would have caught this, or whether this would have required some sort of end to end test. |
…anges needed for irods browser which is not used in current HydroShare codebase without irods browser
Appears fixed in testing on dev so closing, lets hope for the last time. |
The URL pattern for downloading a resource is http://beta.hydroshare.org/django_irods/download/?path=4da5255ad5ec44c682f90cd7dc5932d9/Untitledresource-4_20_2015.csv. This specific resource is private but this URL results in the file being downloaded.
The text was updated successfully, but these errors were encountered: