Add verification to authorize get images with X-user-id and X-auth-token (#10741)

d6ff269b · Marcos Spessatto Defendi · Rodrigo Nascimento · 0f5cffa3 · d6ff269b
Commit d6ff269b authored 6 years ago by Marcos Spessatto Defendi Committed by Rodrigo Nascimento 6 years ago
--- a/packages/rocketchat-file-upload/server/lib/FileUpload.js
+++ b/packages/rocketchat-file-upload/server/lib/FileUpload.js
@@ -203,17 +203,13 @@ Object.assign(FileUpload, {
 		let { rc_uid, rc_token } = query;
 		if (!rc_uid && headers.cookie) {
-			rc_uid = cookie.get('rc_uid', headers.cookie) ;
+			rc_uid = cookie.get('rc_uid', headers.cookie);
 			rc_token = cookie.get('rc_token', headers.cookie);
 		}
+		const isAuthorizedByCookies = rc_uid && rc_token && RocketChat.models.Users.findOneByIdAndLoginToken(rc_uid, rc_token);
-		if (!rc_uid || !rc_token || !RocketChat.models.Users.findOneByIdAndLoginToken(rc_uid, rc_token)) {
+		const isAuthorizedByHeaders = headers['x-user-id'] && headers['x-auth-token'] && RocketChat.models.Users.findOneByIdAndLoginToken(headers['x-user-id'], headers['x-auth-token']);
-			return false;
+		return isAuthorizedByCookies || isAuthorizedByHeaders;
-		}
-		return true;
 	},
 	addExtensionTo(file) {
 		if (mime.lookup(file.name) === file.type) {
 			return file;