Fix a bug with deduplicated file download

2026-02-03 17:40:39 +01:00 · 2026-01-14 11:36:09 +01:00
parent 8d899e4d9f
commit a254786ddc
1 changed files with 36 additions and 33 deletions
--- a/ram/ram/views.py
+++ b/ram/ram/views.py
@@ -85,12 +85,20 @@ class DownloadFile(View):
        # Find all models inheriting from PublishableFile
        for model in apps.get_models():
            if issubclass(model, PrivateDocument) and not model._meta.abstract:
-                try:
-                    doc = model.objects.get(file__endswith=filename)
-                    if doc.private and not request.user.is_staff:
+                # Due to deduplication, multiple documents may have
+                # the same file name; if any is private, use a failsafe
+                # approach enforce access control
+                docs = model.objects.filter(file__endswith=filename)
+                if not docs.exists():
+                    continue
+
+                if (
+                    any(doc.private for doc in docs)
+                    and not request.user.is_staff
+                ):
                    break

-                    file = doc.file
+                file = docs.first().file
                if not os.path.exists(file.path):
                    break

@@ -110,14 +118,9 @@ class DownloadFile(View):
                        open(file.path, "rb"), as_attachment=True
                    )

-                    response["Content-Disposition"] = (
-                        '{}; filename="{}"'.format(
-                            disposition,
-                            smart_str(os.path.basename(file.path))
-                        )
+                response["Content-Disposition"] = '{}; filename="{}"'.format(
+                    disposition, smart_str(os.path.basename(file.path))
                )
                return response
-                except model.DoesNotExist:
-                    continue

        raise Http404("File not found")