Skip to content
This repository has been archived by the owner on Jan 27, 2021. It is now read-only.

limit thumbnails a users can access to his own #26

Merged
merged 1 commit into from
May 27, 2020
Merged

limit thumbnails a users can access to his own #26

merged 1 commit into from
May 27, 2020

Conversation

C0rby
Copy link
Contributor

@C0rby C0rby commented May 26, 2020

Users of the service can no longer request thumbnails of another users by guessing the etag.
The thumbnails are now only accessible by the users who created the thumbnail.

Closes #5.

@C0rby C0rby requested review from IljaN, PVince81 and refs May 26, 2020 15:20
@C0rby C0rby self-assigned this May 26, 2020
refs
refs approved these changes May 26, 2020
View reviewed changes
pkg/service/v0/service.go Outdated
tokenString := auth[len("Bearer "):] // strip the bearer prefix

var claims map[string]interface{}
token, _ := jwt.ParseSigned(tokenString)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd check the error there 👀

pkg/thumbnail/storage/filesystem.go Outdated
return p[0]
}

func (s FileSystem) storeImage(key string, img []byte) (string, error) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How about making this method thread safe by adding a sync.Mutex and acquiring on every write? If this method runs on a goroutine, they should be thread safe

pkg/thumbnail/storage/filesystem.go Show resolved Hide resolved
pkg/thumbnail/storage/inmemory.go Outdated Show resolved Hide resolved
@refs refs changed the title limit thumbnails a users can access to his own. limit thumbnails a users can access to his own May 26, 2020
@C0rby C0rby force-pushed the feature/group-thumbnails-by-users branch 3 times, most recently from 0381ff6 to 80dbdd7 Compare May 27, 2020 11:13
@C0rby C0rby force-pushed the feature/group-thumbnails-by-users branch from 80dbdd7 to 4ae1a64 Compare May 27, 2020 11:17
@C0rby C0rby merged commit 68d6161 into master May 27, 2020
@delete-merged-branch delete-merged-branch bot deleted the feature/group-thumbnails-by-users branch May 27, 2020 11:23
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@refs refs refs approved these changes

@IljaN IljaN Awaiting requested review from IljaN

@PVince81 PVince81 Awaiting requested review from PVince81

Assignees

@C0rby C0rby

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Implement security measures to prevent information leaks
2 participants
@C0rby @refs