fix: resolve download 404 caused by file UUID / Celery task ID mismatch\n\nThe download route checked access using the file UUID from the URL,\nbut the session and usage_events only stored the Celery task ID.\nThese are different UUIDs, causing all downloads to return 404.\n\nFixes:\n- Add has_download_access() to check file_history table as fallback\n- Update assert_web/api_task_access to use file_history lookup\n- Remember file UUID in session when task status returns SUCCESS"

2026-03-20 10:07:48 +02:00
parent 94b23e511e
commit 0174f935c3
3 changed files with 39 additions and 1 deletions
--- a/backend/app/routes/tasks.py
+++ b/backend/app/routes/tasks.py
@@ -11,6 +11,7 @@ from app.services.policy_service import (
    resolve_api_actor,
    resolve_web_actor,
 )
+from app.utils.auth import remember_task_access

 tasks_bp = Blueprint("tasks", __name__)

@@ -52,6 +53,17 @@ def get_task_status(task_id: str):
        task_result = result.result or {}
        response["result"] = task_result

+        # Remember the file UUID in the session so the download route can verify access.
+        # The download URL contains a different UUID than the Celery task ID.
+        download_url = task_result.get("download_url", "")
+        if download_url:
+            parts = download_url.split("/")
+            # URL format: /api/download/<file_uuid>/<filename>
+            if len(parts) >= 4:
+                file_uuid = parts[3]
+                if file_uuid != task_id:
+                    remember_task_access(file_uuid)
+
    elif result.state == "FAILURE":
        response["error"] = str(result.info) if result.info else "Task failed."