mirror/papra
1
0
Fork 0
mirror of https://github.com/papra-hq/papra.git synced 2025-12-16 20:24:27 -06:00
Code Issues Packages Projects Releases 75 Wiki Activity

fix(documents): user must be in org to upload (#660)

Browse Source 
* fix(documents): user must be in org to upload

* chore(versioning): added changeset

Removed the possibility for unauthorized upload to another organization you're not a member of

---------

Co-authored-by: Corentin Thomasset <corentin.thomasset74@gmail.com>
This commit is contained in:
Bartek Kwiecien
2025-11-29 22:52:49 +01:00
committed by GitHub
parent 334fcbdee4
commit 9b43bafe33
2 changed files with 9 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.changeset/hungry-walls-brush.md Normal file
View File

@@ -0,0 +1,5 @@
---
"@papra/app-server": patch
---
Removed the possibility for unauthorized upload to another organization you're not member of

5
apps/papra-server/src/modules/documents/documents.routes.ts
View File

@@ -34,7 +34,7 @@ export function registerDocumentsRoutes(context: RouteDefinitionContext) {
}
function setupCreateDocumentRoute({ app, ...deps }: RouteDefinitionContext) {
const { config } = deps;
const { config, db } = deps;
app.post(
'/api/organizations/:organizationId/documents',
@@ -46,6 +46,9 @@ function setupCreateDocumentRoute({ app, ...deps }: RouteDefinitionContext) {
const { userId } = getUser({ context });
const { organizationId } = context.req.valid('param');
const organizationsRepository = createOrganizationsRepository({ db });
await ensureUserIsInOrganization({ userId, organizationId, organizationsRepository });
const { maxUploadSize } = config.documentsStorage;
const { fileStream, fileName, mimeType } = await getFileStreamFromMultipartForm({