From ac467b293697239ec27db6d6bda5e97b2654e616 Mon Sep 17 00:00:00 2001
From: Tom Moor <tom.moor@gmail.com>
Date: Fri, 24 Jun 2022 11:24:11 +0200
Subject: [PATCH] fix: Return direct url to public attachments, closes #3686

---
 server/routes/api/attachments.ts | 56 ++++++++++++++++++--------------
 1 file changed, 32 insertions(+), 24 deletions(-)

diff --git a/server/routes/api/attachments.ts b/server/routes/api/attachments.ts
index f33cef994..c7d086bcc 100644
--- a/server/routes/api/attachments.ts
+++ b/server/routes/api/attachments.ts
@@ -1,6 +1,7 @@
 import Router from "koa-router";
 import { v4 as uuidv4 } from "uuid";
 import { bytesToHumanReadable } from "@shared/utils/files";
+import { sequelize } from "@server/database/sequelize";
 import {
   AuthorizationError,
   NotFoundError,
@@ -42,13 +43,10 @@ router.post("attachments.create", auth(), async (ctx) => {
     );
   }
 
+  const isPublic = ctx.body.public;
   const s3Key = uuidv4();
   const acl =
-    ctx.body.public === undefined
-      ? AWS_S3_ACL
-      : ctx.body.public
-      ? "public-read"
-      : "private";
+    isPublic === undefined ? AWS_S3_ACL : isPublic ? "public-read" : "private";
   const bucket = acl === "public-read" ? "public" : "uploads";
   const key = `${bucket}/${user.id}/${s3Key}/${name}`;
   const presignedPost = await getPresignedPost(key, acl, contentType);
@@ -62,24 +60,34 @@ router.post("attachments.create", auth(), async (ctx) => {
     authorize(user, "update", document);
   }
 
-  const attachment = await Attachment.create({
-    key,
-    acl,
-    size,
-    url,
-    contentType,
-    documentId,
-    teamId: user.teamId,
-    userId: user.id,
-  });
-  await Event.create({
-    name: "attachments.create",
-    data: {
-      name,
-    },
-    teamId: user.teamId,
-    userId: user.id,
-    ip: ctx.request.ip,
+  const attachment = await sequelize.transaction(async (transaction) => {
+    const attachment = await Attachment.create(
+      {
+        key,
+        acl,
+        size,
+        url,
+        contentType,
+        documentId,
+        teamId: user.teamId,
+        userId: user.id,
+      },
+      { transaction }
+    );
+    await Event.create(
+      {
+        name: "attachments.create",
+        data: {
+          name,
+        },
+        teamId: user.teamId,
+        userId: user.id,
+        ip: ctx.request.ip,
+      },
+      { transaction }
+    );
+
+    return attachment;
   });
 
   ctx.body = {
@@ -96,7 +104,7 @@ router.post("attachments.create", auth(), async (ctx) => {
         contentType,
         name,
         id: attachment.id,
-        url: attachment.redirectUrl,
+        url: isPublic ? url : attachment.redirectUrl,
         size,
       },
     },