File Browser discloses text file content via /api/resources endpoint bypassing Perm.Download check
The /api/resources handler in http/resource.go serves file content without enforcing the user's download permission, unlike the other content-serving endpoints. This allows users with download disabled to read text file contents within their authorized scope via both the JSON content field and the X-Encoding raw-byte path.
http/resource.go
The advisory identifies resourceGetHandler in this file as the vulnerable sink: it loads file content with Content: true and has an X-Encoding branch that returns file bytes without a Perm.Download check.
http/raw.go
This neighboring endpoint is called out in the advisory as the correct reference behavior because it checks d.user.Perm.Download before serving content.
http/preview.go
This neighboring endpoint is another protected content-serving path that verifies download permission, useful for contrasting the missing guard in http/resource.go.