* Verify access to regular uploads * Regular uploads: UUID-filename or timestamp-filename * Priority: Database lookup (for workspace files) > Metadata > Deny
( cloudKey: string, userId: string, customConfig?: StorageConfig, isLocal?: boolean, requireWrite = false )
| 636 | * Priority: Database lookup (for workspace files) > Metadata > Deny |
| 637 | */ |
| 638 | async function verifyRegularFileAccess( |
| 639 | cloudKey: string, |
| 640 | userId: string, |
| 641 | customConfig?: StorageConfig, |
| 642 | isLocal?: boolean, |
| 643 | requireWrite = false |
| 644 | ): Promise<boolean> { |
| 645 | try { |
| 646 | // Priority 1: Check if this might be a workspace file (check database) |
| 647 | // This handles legacy files that might not have metadata |
| 648 | const workspaceFileRecord = await lookupWorkspaceFileByKey(cloudKey) |
| 649 | if (workspaceFileRecord) { |
| 650 | const permission = await getUserEntityPermissions( |
| 651 | userId, |
| 652 | 'workspace', |
| 653 | workspaceFileRecord.workspaceId |
| 654 | ) |
| 655 | if (workspacePermissionSatisfies(permission, requireWrite)) { |
| 656 | logger.debug('Regular file access granted (workspace file from database)', { |
| 657 | userId, |
| 658 | workspaceId: workspaceFileRecord.workspaceId, |
| 659 | cloudKey, |
| 660 | }) |
| 661 | return true |
| 662 | } |
| 663 | logger.warn('User does not have workspace access for file', { |
| 664 | userId, |
| 665 | workspaceId: workspaceFileRecord.workspaceId, |
| 666 | cloudKey, |
| 667 | }) |
| 668 | return false |
| 669 | } |
| 670 | |
| 671 | // Priority 2: Check metadata (works for both local and cloud files) |
| 672 | const config: StorageConfig = customConfig || {} |
| 673 | const metadata = await getFileMetadata(cloudKey, config) |
| 674 | const fileUserId = metadata.userId |
| 675 | const workspaceId = metadata.workspaceId |
| 676 | |
| 677 | // If file has userId, verify ownership |
| 678 | if (fileUserId) { |
| 679 | if (fileUserId === userId) { |
| 680 | logger.debug('Regular file access granted (userId match)', { userId, cloudKey }) |
| 681 | return true |
| 682 | } |
| 683 | logger.warn('User does not own file', { userId, fileUserId, cloudKey }) |
| 684 | return false |
| 685 | } |
| 686 | |
| 687 | // If file has workspaceId, verify workspace membership |
| 688 | if (workspaceId) { |
| 689 | const permission = await getUserEntityPermissions(userId, 'workspace', workspaceId) |
| 690 | if (workspacePermissionSatisfies(permission, requireWrite)) { |
| 691 | logger.debug('Regular file access granted (workspace membership)', { |
| 692 | userId, |
| 693 | workspaceId, |
| 694 | cloudKey, |
| 695 | }) |
no test coverage detected