getQueryParam('id'); if (!$id) { throw new BadRequest(); } /** @var ?AttachmentEntity $attachment */ $attachment = $this->entityManager->getEntityById(AttachmentEntity::ENTITY_TYPE, $id); if (!$attachment) { throw new NotFound(); } if (!$this->acl->checkEntity($attachment)) { throw new Forbidden(); } if (!$this->fileStorageManager->exists($attachment)) { throw new NotFound(); } $fileType = $attachment->getType(); if (!in_array($fileType, $this->getAllowedFileTypeList())) { throw new Forbidden("Not allowed file type '{$fileType}'."); } if ($attachment->isBeingUploaded()) { throw new Forbidden("Attachment is being-uploaded."); } if ($fileType) { $response->setHeader('Content-Type', $fileType); } $stream = $this->fileStorageManager->getStream($attachment); $size = $stream->getSize() ?? $this->fileStorageManager->getSize($attachment); $response ->setHeader('Pragma', 'public') ->setHeader('Content-Length', (string) $size) ->setHeader('Content-Security-Policy', "default-src 'self'") ->setBody($stream); } /** * @return string[] */ private function getAllowedFileTypeList(): array { return $this->metadata->get(['app', 'image', 'allowedFileTypeList']) ?? []; } }