Add folder type checks in viewer handlers to prevent folder viewing

2026-01-26 04:17:38 +01:00
parent 5dd6d79d4c
commit abc60399d8
2 changed files with 12 additions and 0 deletions
--- a/go_cloud/bin/api
+++ b/go_cloud/bin/api
--- a/go_cloud/internal/http/routes.go
+++ b/go_cloud/internal/http/routes.go
@@ -626,6 +626,12 @@ func viewerHandler(w http.ResponseWriter, r *http.Request, db *database.DB, jwtM
 		return
 	}

+	// Check if it's a folder - cannot view folders
+	if file.Type == "folder" {
+		errors.WriteError(w, errors.CodeInvalidArgument, "Cannot view folders", http.StatusBadRequest)
+		return
+	}
+
 	// Log activity
 	db.LogActivity(r.Context(), userID, orgID, &fileId, "view_file", map[string]interface{}{})

@@ -729,6 +735,12 @@ func userViewerHandler(w http.ResponseWriter, r *http.Request, db *database.DB,
 		return
 	}

+	// Check if it's a folder - cannot view folders
+	if file.Type == "folder" {
+		errors.WriteError(w, errors.CodeInvalidArgument, "Cannot view folders", http.StatusBadRequest)
+		return
+	}
+
 	// Optionally log activity without org id
 	db.LogActivity(r.Context(), userID, uuid.Nil, &fileId, "view_user_file", map[string]interface{}{})