server/router/api/v1 · c7b48b800fbe45f2c6c72cf65fd1066e1ed75650 · Vũ Hoàng Anh / canifa_note

fix: add access control checks for attachments, comments, and reactions · c7b48b80

Johnny authored Jan 31, 2026

Security fixes for multiple authorization bypass vulnerabilities:

- GetAttachment: Add visibility check via checkAttachmentAccess helper
- UpdateAttachment: Add ownership check (creator or admin only)
- Fileserver: Require creator/admin auth for unlinked attachments
- ListMemoAttachments: Add memo visibility check
- CreateMemoComment: Add memo visibility check for target memo
- ListMemoReactions: Add memo visibility check
- UpsertMemoReaction: Add memo visibility check

All checks follow the existing pattern used in GetMemo for consistency.

c7b48b80

Name	Last commit	Last update
..
test		Loading commit data...
acl_config.go		Loading commit data...
acl_config_test.go		Loading commit data...
activity_service.go		Loading commit data...
attachment_exif_test.go		Loading commit data...
attachment_service.go		Loading commit data...
auth_service.go		Loading commit data...
auth_service_client_info_test.go		Loading commit data...
common.go		Loading commit data...
connect_handler.go		Loading commit data...
connect_interceptors.go		Loading commit data...
connect_services.go		Loading commit data...
header_carrier.go		Loading commit data...
health_service.go		Loading commit data...
idp_service.go		Loading commit data...
instance_service.go		Loading commit data...
memo_attachment_service.go		Loading commit data...
memo_relation_service.go		Loading commit data...
memo_service.go		Loading commit data...
memo_service_converter.go		Loading commit data...
memo_service_filter.go		Loading commit data...
reaction_service.go		Loading commit data...
resource_name.go		Loading commit data...
shortcut_service.go		Loading commit data...
user_service.go		Loading commit data...
user_service_stats.go		Loading commit data...
v1.go		Loading commit data...