No access check for attachment download

[davidsvantesson]

• Gitea version (or commit ref): 1.10.0+dev-188-g2d0b90c96
• Can you reproduce the bug at https://try.gitea.io:
  • Yes (https://try.gitea.io/attachments/f3763540-6bf8-47c2-b2ce-0fa9c48f1e82)
  • No
  • Not relevant
• Log gist:

Description

Attachments are accessible just knowing their links, there are no access check of them. This was reported previously in #4721. That issue was closed with a fix on another issue regarding upload of attachment.

Note the behavior differs depending on setting.
With REQUIRE_SIGNIN_VIEW = false, attachments is public accessible without login.
With REQUIRE_SIGNIN_VIEW = true, attachments is only accessible if logged in, although still no check if you should have access to the specific file.

I find this behavior illogical. Either the UUID is enough as security and there should be no need to check authorization in any of the settings above. Or otherwise it should be checked if user has correct access right to the repository (or it is public).

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs during the next 2 weeks. Thank you for your contributions.

[sapk]

Since #9340, all access to attachments are checked for right to access related to the issue or release their are attached.