Skip to content

# BUG - Admin cannot download files from transfer detail page #2614

Closed
Closed
# BUG - Admin cannot download files from transfer detail page#2614
@victoritis

Description

@victoritis
victoritis
opened on Mar 12, 2026

Bug description

When an admin user views a transfer created by another user via ?s=transfer_detail&transfer_id=<id> and clicks Download, the request fails with:

GET /rest.php/transfer/<id>/options/enable_recipient_email_download_complete 400 (Bad Request)

Server logs show:

{"message":"rest_bad_parameter","details":{"parameter":"token"}}

The direct download link with token (?s=download&token=...) works fine. The issue is only with the pre-download REST check that client.js makes before initiating the download.

Root cause

In RestEndpointTransfer.class.php, the special case for enable_recipient_email_download_complete (introduced in commit 3c005ada, PR #2383) only allows the owner of the transfer to bypass the token requirement:

if ($user->id == $transfer->userid) {
    $rc = false;
    return $rc;
}

An admin who is authenticated and has full permission over the transfer still falls through to:

throw new RestBadParameterException('token');

This means admins can only download transfers they themselves uploaded, but not transfers from other users, even though they have permission via havePermission().

Expected behavior

An admin should be able to download any file from the transfer detail page, since:

  • havePermission() already correctly grants access to both owner and admin
  • The admin panel (?s=admin&as=transfers) links directly to transfer detail pages
  • download.php itself already respects admin permissions for the actual file download

Proposed fix

Replace the strict owner check with havePermission():

// Before (only owner):
$user = Auth::user();
$transfer = Transfer::fromId($id);
if ($user->id == $transfer->userid) {
    $rc = false;
    return $rc;
}

// After (owner or admin):
$transfer = Transfer::fromId($id);
if ($transfer->havePermission()) {
    return false;
}

This is consistent with how other endpoints in the same file check permissions.

Steps to reproduce

  1. Log in as an admin user
  2. Go to ?s=admin&as=transfers and open a transfer created by another user
  3. Click Download on any file
  4. Open browser DevTools > Network tab
  5. Observe: GET /rest.php/transfer/<id>/options/enable_recipient_email_download_complete returns 400
  6. The UI shows a "rest_bad_parameter" error popup

Additional context

  • This only affects admin users downloading other users' transfers from the detail page
  • If the admin is also the owner of the transfer, it works fine (because $user->id == $transfer->userid is true)
  • The recipient download flow (with token) is unaffected
  • I believe I was able to download other users' files as admin in the past, but it's possible I was downloading my own transfers at the time. I'm not 100% sure whether this ever worked for non-owner admins, or if it has always been this way since PR ui3: transfer details no need for token #2383.

Environment

  • FileSender version: 3.6 / development3 (both affected, same code)
  • Commit that introduced the block: 3c005ada (Sep 2025, PR ui3: transfer details no need for token #2383)
  • The code has been the same across 3.6, development3, and master3 branches

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions