Add a checkAuth function to linked-file agents

services/web/app/coffee/Features/LinkedFiles/LinkedFilesController.coffee

@@ -23,11 +23,14 @@ module.exports = LinkedFilesController = {
 
 		linkedFileData = Agent.sanitizeData(data)
 		linkedFileData.provider = provider
-		Agent.writeIncomingFileToDisk project_id, linkedFileData, user_id, (error, fsPath) ->
-			if error?
-				logger.error {err: error, project_id, name, linkedFileData, parent_folder_id, user_id}, 'error writing linked file to disk'
-				return Agent.handleError(error, req, res, next)
-			EditorController.upsertFile project_id, parent_folder_id, name, fsPath, linkedFileData, "upload", user_id, (error, file) ->
-				return next(error) if error?
-				res.json(new_file_id: file._id) # created
+		Agent.checkAuth project_id, data, user_id, (err, allowed) ->
+			return next(err) if err?
+			return ses.sendStatus(403) if !allowed
+			Agent.writeIncomingFileToDisk project_id, linkedFileData, user_id, (error, fsPath) ->
+				if error?
+					logger.error {err: error, project_id, name, linkedFileData, parent_folder_id, user_id}, 'error writing linked file to disk'
+					return Agent.handleError(error, req, res, next)
+				EditorController.upsertFile project_id, parent_folder_id, name, fsPath, linkedFileData, "upload", user_id, (error, file) ->
+					return next(error) if error?
+					res.json(new_file_id: file._id) # created
 }

services/web/app/coffee/Features/LinkedFiles/ProjectFileAgent.coffee

@@ -52,25 +52,30 @@ module.exports = ProjectFileAgent =
 			!!data.source_project_display_name
 		)
 
+	checkAuth: (project_id, data, current_user_id, callback = (error, allowed)->) ->
+		callback = _.once(callback)
+		if !ProjectFileAgent._validate(data)
+			return callback(new BadDataError())
+		{source_project_id, source_entity_path} = data
+		AuthorizationManager.canUserReadProject current_user_id, source_project_id, null, (err, canRead) ->
+			return callback(err) if err?
+			callback(null, canRead)
+
 	writeIncomingFileToDisk:
 		(project_id, data, current_user_id, callback = (error, fsPath) ->) ->
 			callback = _.once(callback)
 			if !ProjectFileAgent._validate(data)
 				return callback(new BadDataError())
 			{source_project_id, source_entity_path} = data
-			AuthorizationManager.canUserReadProject current_user_id, source_project_id,
-				null, (err, canRead) ->
-					return callback(err) if err?
-					return callback(new AccessDeniedError()) if !canRead
-					ProjectLocator.findElementByPath {
-						project_id: source_project_id,
-						path: source_entity_path
-					}, (err, entity, type) ->
-						if err?
-							if err.toString().match(/^not found.*/)
-								err = new SourceFileNotFoundError()
-							return callback(err)
-						ProjectFileAgent._writeEntityToDisk source_project_id, entity._id, type, callback
+			ProjectLocator.findElementByPath {
+				project_id: source_project_id,
+				path: source_entity_path
+			}, (err, entity, type) ->
+				if err?
+					if err.toString().match(/^not found.*/)
+						err = new SourceFileNotFoundError()
+					return callback(err)
+				ProjectFileAgent._writeEntityToDisk source_project_id, entity._id, type, callback
 
 	_writeEntityToDisk: (project_id, entity_id, type, callback=(err, location)->) ->
 		callback = _.once(callback)

services/web/app/coffee/Features/LinkedFiles/UrlAgent.coffee

@@ -27,6 +27,9 @@ module.exports = UrlAgent = {
 			url: @._prependHttpIfNeeded(data.url)
 		}
 
+	checkAuth: (project_id, data, current_user_id, callback = (error, allowed)->) ->
+		callback(null, true)
+
 	writeIncomingFileToDisk: (project_id, data, current_user_id, callback = (error, fsPath) ->) ->
 		callback = _.once(callback)
 		url = data.url