[$500] Public Room-Anonymous user can download images

[lanitochka17]

If you haven’t already, check out our contributing guidelines for onboarding and email [email protected] to request to join our Slack channel!

---

**Version Number:**1.3.95-0
**Reproducible in staging?:**Y
**Reproducible in production?:**Y
If this was caught during regression testing, add the test name, ID and link from TestRail:
Email or phone of affected tester (no customers):
Logs: https://stackoverflow.com/c/expensify/questions/4856
Expensify/Expensify Issue URL:
**Issue reported by:**Applause - Internal Team
Slack conversation:

Action Performed:

1. Log out of New Dot Expensify if previously logged in
2. Navigate to any public room via url (for example this link - https://staging.new.expensify.com/r/5408450846930023
   )
3. Verify you can see the announce room as an anonymous user
4. Right click on any image in the conversation
5. Click Download

Expected Result:

Clicking on Download should not be allowed to an unauthenticated user, so should be redirected to the Sign In page

Actual Result:

Image is downloaded although anonymous user doesn't have the authentication

Workaround:

Unknown

Platforms:

Which of our officially supported platforms is this issue occurring on?

• Android: Native
• Android: mWeb Chrome
• iOS: Native
• iOS: mWeb Safari
• MacOS: Chrome / Safari
• MacOS: Desktop

Screenshots/Videos

Add any screenshot/video evidence

Bug6261532_1698963588150.anonymous_user_downloads_images.mp4

View all open jobs on GitHub

Upwork Automation - Do Not Edit

• Upwork Job URL: https://www.upwork.com/jobs/~0114824716246f4944
• Upwork Job ID: 1720206387814977536
• Last Price Increase: 2023-11-02

[melvin-bot]

Triggered auto assignment to @muttmuure (Bug), see https://stackoverflow.com/c/expensify/questions/14418 for more details.

[melvin-bot]

Job added to Upwork: https://www.upwork.com/jobs/~0114824716246f4944

[melvin-bot]

Bug0 Triage Checklist (Main S/O)

• This "bug" occurs on a supported platform (ensure Platforms in OP are ✅)
• This bug is not a duplicate report (check E/App issues and #expensify-bugs)
  • If it is, comment with a link to the original report, close the issue and add any novel details to the original issue instead
• This bug is reproducible using the reproduction steps in the OP. S/O
  • If the reproduction steps are clear and you're unable to reproduce the bug, check with the reporter and QA first, then close the issue.
  • If the reproduction steps aren't clear and you determine the correct steps, please update the OP.
• This issue is filled out as thoroughly and clearly as possible
  • Pay special attention to the title, results, platforms where the bug occurs, and if the bug happens on staging/production.
• I have reviewed and subscribed to the linked Slack conversation to ensure Slack/Github stay in sync

[melvin-bot]

Triggered auto assignment to Contributor-plus team member for initial proposal review - @situchan (External)

[tienifr]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Anonymous user can download images in public rooms.

What is the root cause of that problem?

We allow Download for annonymous user here:

App/src/pages/home/report/ContextMenu/ContextMenuActions.js

Line 93 in 5ae80bd

isAnonymousAction: true,

What changes do you think we should make in order to solve the problem?

Set the above prop to false.

What alternative solutions did you explore? (Optional)

NA

[yh-0218]

Proposal

Please re-state the problem that we are trying to solve in this issue.

Anonymous user can download images in public rooms.

What is the root cause of that problem?

Download is allowed for annonymous user.

App/src/pages/home/report/ContextMenu/ContextMenuActions.js

Line 93 in 11a7170

isAnonymousAction: true,

What changes do you think we should make in order to solve the problem?

1. we need to update isAnonymousAction: false
2. we need to add && !Session.isAnonymousUser() here
   

   App/src/components/AttachmentModal.js

   Line 422 in 11a7170

   shouldShowDownloadButton={props.allowDownload && shouldShowDownloadButton && !isAttachmentReceipt && !isOffline}

What alternative solutions did you explore? (Optional)

Screen.Recording.2023-11-03.at.1.39.16.AM.mov

[DylanDylann]

Proposal

Please re-state the problem that we are trying to solve in this issue.

• Anonymous user can download images in public rooms.

What is the root cause of that problem?

• We allow annonymous user to download image.

What changes do you think we should make in order to solve the problem?

• We have a function fileDownload used to handle download action in entire the app.
  

  App/src/libs/fileDownload/index.js

  Line 10 in d53a03e

  export default function fileDownload(url, fileName) {

• So we should add the logic check isAnonymousAction to this.

What alternative solutions did you explore? (Optional)

• NA

[dukenv0307]

It's expected behavior that we decided here #22321

[melvin-bot]

@muttmuure, @situchan Whoops! This issue is 2 days overdue. Let's get this updated quick!

[situchan]

@muttmuure can you please double check the expected behavior?
If this is not bug, I think we should update something since this is reported by QA team.

[NisargDeveloper]

Are you searching for a resolution?

[muttmuure]

Seems like expected behavior to me

[muttmuure]

QA will come back to this issue and see that it is closed as expected. I'm not aware of anywhere that we say it is not.

@lanitochka17 if you find that we say that this should not happen, please let me know where and I will get it updated. Thank you!