magda icon indicating copy to clipboard operation
magda copied to clipboard
verified publisher icon magda-io

Storage API actually doesn't allow unauthenticated user to access public accessible internal data file

Open t83714 opened this issue 5 years ago • 0 comments

Describe the bug

Storage API actually doesn't allow an unauthenticated user to access the public accessible internal data file.

e.g. this dataset:

https://dev.magda.io/dataset/magda-ds-d30a068d-877c-4d86-a885-b90e7f2b8fa1/details?q=

User can access it without logging in but not the data file:

https://dev.magda.io/api/v0/storage/magda-datasets/magda-ds-d30a068d-877c-4d86-a885-b90e7f2b8fa1/magda-dist-f25a2e99-2424-4257-bdda-e74d26bae5e2/Water_Supply_-_Daily_Volume_observed_for_storage_dams_operated_by_Melbourne_Water.geojson

the problem is this function didn't consider the situation when an anonymous user / unauthenticated user tries to access a public visible data file:

https://github.com/magda-io/magda/blob/896af33d0ae444b0b4052700d94526c9d916aa5c/magda-storage-api/src/createApiRouter.ts#L187

t83714 avatar Oct 13 '20 12:10 t83714