From b4e196a62a4e03a75f59252d3dc3d6419457bc96 Mon Sep 17 00:00:00 2001 From: Grady Berry Ward Date: Wed, 24 Jan 2024 11:09:34 -0700 Subject: [PATCH] Allows Anonymous Downloads of Shared Assets (#171) --- cmd/server/main.go | 8 ++++++++ reportsrv/reportsrv.go | 1 + 2 files changed, 9 insertions(+) diff --git a/cmd/server/main.go b/cmd/server/main.go index 728de4f..6d0e295 100644 --- a/cmd/server/main.go +++ b/cmd/server/main.go @@ -377,6 +377,7 @@ type allowFn func(r *http.Request) bool var publicEndpoints = []allowFn{ allowPublicInitiativeLookups, + allowPublicAnalysisDownloads, } var allowPublicInitiativeLookupsRegexp = regexp.MustCompile(`^/initiative/[^/]*$`) @@ -388,6 +389,13 @@ func allowPublicInitiativeLookups(r *http.Request) bool { return allowPublicInitiativeLookupsRegexp.MatchString(r.URL.Path) } +func allowPublicAnalysisDownloads(r *http.Request) bool { + if r.Method != http.MethodGet { + return false + } + return strings.HasPrefix(r.URL.Path, "/report/") +} + func requireJWTIfNotPublicEndpoint(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { for _, fn := range publicEndpoints { diff --git a/reportsrv/reportsrv.go b/reportsrv/reportsrv.go index 0de2e5c..b727638 100644 --- a/reportsrv/reportsrv.go +++ b/reportsrv/reportsrv.go @@ -192,6 +192,7 @@ func (s *Server) doAuthzAndAuditLog(a *pacta.Analysis, aa *pacta.AnalysisArtifac actorID, _ := session.UserIDFromContext(ctx) if actorID == "" { actorID = unauthenticatedUserID + actorOwner = &pacta.Owner{ID: unauthenticatedUserID} } else { ownerID, err := s.db.GetOwnerForUser(s.db.NoTxn(ctx), actorID) if err != nil {