From 714298a94eab8dc88e99a5bba64b6061f52b06a0 Mon Sep 17 00:00:00 2001
From: kolaente <k@knt.li>
Date: Thu, 21 Nov 2024 15:42:53 +0100
Subject: [PATCH] fix(attachments): check permissions when accessing all
 attachments

(cherry picked from commit 3659b7b58d4405452f3e806e12b0e3dfb4577503)
---
 pkg/models/task_attachment.go | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/models/task_attachment.go b/pkg/models/task_attachment.go
index bbf715414..afe584ca8 100644
--- a/pkg/models/task_attachment.go
+++ b/pkg/models/task_attachment.go
@@ -132,7 +132,16 @@ func (ta *TaskAttachment) ReadOne(s *xorm.Session, _ web.Auth) (err error) {
 // @Failure 404 {object} models.Message "The task does not exist."
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /tasks/{id}/attachments [get]
-func (ta *TaskAttachment) ReadAll(s *xorm.Session, _ web.Auth, _ string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+func (ta *TaskAttachment) ReadAll(s *xorm.Session, a web.Auth, _ string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
+	task := Task{ID: ta.TaskID}
+	canRead, _, err := task.CanRead(s, a)
+	if err != nil {
+		return nil, 0, 0, err
+	}
+	if !canRead {
+		return nil, 0, 0, ErrGenericForbidden{}
+	}
+
 	attachments := []*TaskAttachment{}
 
 	limit, start := getLimitFromPageIndex(page, perPage)