feat: Track attachments access (#4416)

server/migrations/20221112162341-attachment-tracking.js

@@ -0,0 +1,13 @@
+"use strict";
+
+module.exports = {
+  up: async (queryInterface, Sequelize) => {
+    await queryInterface.addColumn("attachments", "lastAccessedAt", {
+      type: Sequelize.DATE,
+      allowNull: true,
+    });
+  },
+  down: async (queryInterface) => {
+    await queryInterface.removeColumn("attachments", "lastAccessedAt");
+  },
+};

server/models/Attachment.ts

@@ -44,6 +44,9 @@ class Attachment extends IdModel {
   @Column
   acl: string;
 
+  @Column
+  lastAccessedAt: Date | null;
+
   // getters
 
   get name() {

server/routes/api/attachments.ts

@@ -159,11 +159,15 @@ const handleAttachmentsRedirect = async (ctx: ContextWithState) => {
     rejectOnEmpty: true,
   });
 
-  if (attachment.isPrivate) {
+  if (attachment.isPrivate && attachment.teamId !== user.teamId) {
-    if (attachment.teamId !== user.teamId) {
+    throw AuthorizationError();
-      throw AuthorizationError();
+  }
-    }
 
+  await attachment.update({
+    lastAccessedAt: new Date(),
+  });
+
+  if (attachment.isPrivate) {
     const accessUrl = await getSignedUrl(attachment.key);
     ctx.redirect(accessUrl);
   } else {