fix: resolve download 404 caused by file UUID / Celery task ID mismatch\n\nThe download route checked access using the file UUID from the URL,\nbut the session and usage_events only stored the Celery task ID.\nThese are different UUIDs, causing all downloads to return 404.\n\nFixes:\n- Add has_download_access() to check file_history table as fallback\n- Update assert_web/api_task_access to use file_history lookup\n- Remember file UUID in session when task status returns SUCCESS"

2026-03-20 10:07:48 +02:00
parent 94b23e511e
commit 0174f935c3
3 changed files with 39 additions and 1 deletions
--- a/backend/app/services/account_service.py
+++ b/backend/app/services/account_service.py
@@ -678,6 +678,23 @@ def has_task_access(user_id: int, source: str, task_id: str) -> bool:
    return row is not None


+def has_download_access(user_id: int, file_task_id: str) -> bool:
+    """Return whether one user owns a file_history entry whose download_url contains the given file task id."""
+    pattern = f"/api/download/{file_task_id}/"
+    with _connect() as conn:
+        row = conn.execute(
+            """
+            SELECT 1
+            FROM file_history
+            WHERE user_id = ? AND download_url LIKE ?
+            LIMIT 1
+            """,
+            (user_id, f"%{pattern}%"),
+        ).fetchone()
+
+    return row is not None
+
+
 # ---------------------------------------------------------------------------
 # Password reset tokens
 # ---------------------------------------------------------------------------