Restrict access to email attachments
What does this MR do?
Restricts access to files that were uploaded as email attachments to users who are allowed to access the corresponding mailbox. Until now, these were publicly available even without login.
How confident are you it won't break things if deployed?
very sure
Links to related issues
How to test
- Checkout branch locally
- Login as userbot
- Open any mailbox and send an email with an attachment
- Copy the attachment's URL
- Login as someone else and try to access that URL
Screenshots (if applicable)
Checklist
-
added a test, or explain why one is not needed/possible... -
no unrelated changes -
asked someone for a code review -
set a "for:" label to indicate who will be affected by this change -
set the "API change" label if changes in the API are not backward compatible -
added to the next milestone (see https://gitlab.com/foodsharing-dev/foodsharing/-/milestones, unless it has a "for:Dev" label) -
added an entry to CHANGELOG.md -
added a short text in the release notes to /release-notes/YYYY-MM.md -
Once your MR has been merged, you are responsible to create a testing issue in the Beta Testing forum: https://foodsharing.de/region?bid=734&sub=forum. Please change the MRs label to "state:Beta testing". - Consider writing a detailed description in German.
- Describe in a few sentences, what should be tested from a user perspective.
- Also mention different settings (e.g. different browsers, roles, ...) how this change can be tested.
- Be aware, that also non technical people should understand.
Edited by Alex