You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I dug into the source code, It seems to be happen in server/router/api/v1/resource_service.go:183 , when user is nil and try to access user.ID.
user, err:=getCurrentUser(ctx, s.Store)
iferr!=nil {
returnnil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
}
ifmemo.Visibility==store.Private&&user.ID!=resource.CreatorID { // this linereturnnil, status.Errorf(codes.Unauthenticated, "unauthorized access")
}
Steps to reproduce
Access the GetResourceBinary method from API without authentication, can always reproduce this bug.
Post a memo with visibility == Private
Call the GetResourceBinary method from API without authentication. For example, as curl command below:
curl -X GET http://localhost:5230/file/resources/1/xxx.jpg
curl produce error, and could see the panic log on server.
The version of Memos you're using
v0.22.1
Screenshots or additional context
In addition:
I notice that the docker container shut down after panic. I'm wondering why there is no a panic recover interceptor to avoid a complete server shutdown? It seems not so difficult to implement it.
The text was updated successfully, but these errors were encountered:
Describe the bug
I run a memos server with docker image with tag
0.22.1
.When I access a resource attached to a private memo, without authentication, it causes a panic, with log as below:
I dug into the source code, It seems to be happen in
server/router/api/v1/resource_service.go:183
, whenuser
isnil
and try to accessuser.ID
.Steps to reproduce
Access the
GetResourceBinary
method from API without authentication, can always reproduce this bug.visibility == Private
GetResourceBinary
method from API without authentication. For example, as curl command below:curl
produce error, and could see the panic log on server.The version of Memos you're using
v0.22.1
Screenshots or additional context
In addition:
I notice that the docker container shut down after panic. I'm wondering why there is no a panic recover interceptor to avoid a complete server shutdown? It seems not so difficult to implement it.
The text was updated successfully, but these errors were encountered: