diff options
author | Julius Härtl <jus@bitgrid.net> | 2021-07-13 22:40:59 +0300 |
---|---|---|
committer | Julius Härtl <jus@bitgrid.net> | 2021-07-14 13:34:15 +0300 |
commit | 1f5149c69f6f2f33140c7208fabe3c8e49b02a61 (patch) | |
tree | 536b80472e88c840572d7e5be451cbc53428bdda | |
parent | 4c994ddff3b006fdeff11f269d2faf8f59d921c3 (diff) |
Check for share token permissions
Signed-off-by: Julius Härtl <jus@bitgrid.net>
-rw-r--r-- | lib/Controller/DocumentController.php | 8 | ||||
-rw-r--r-- | lib/Controller/OCSController.php | 9 | ||||
-rw-r--r-- | lib/TokenManager.php | 23 | ||||
-rw-r--r-- | tests/psalm-baseline.xml | 3 |
4 files changed, 32 insertions, 11 deletions
diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php index f315ccdd..664d17a3 100644 --- a/lib/Controller/DocumentController.php +++ b/lib/Controller/DocumentController.php @@ -333,6 +333,10 @@ class DocumentController extends Controller { } } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + return new TemplateResponse('core', '403', [], 'guest'); + } + $node = $share->getNode(); if($node instanceof Folder) { $item = $node->getById($fileId)[0]; @@ -451,6 +455,10 @@ class DocumentController extends Controller { } } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + return new TemplateResponse('core', '403', [], 'guest'); + } + $node = $share->getNode(); if ($filePath !== null) { $node = $node->get($filePath); diff --git a/lib/Controller/OCSController.php b/lib/Controller/OCSController.php index 20927f4f..dfe8a16f 100644 --- a/lib/Controller/OCSController.php +++ b/lib/Controller/OCSController.php @@ -32,6 +32,7 @@ use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSBadRequestException; use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\AppFramework\OCS\OCSNotFoundException; +use OCP\Constants; use OCP\Files\File; use OCP\Files\Folder; use OCP\Files\IRootFolder; @@ -169,6 +170,10 @@ class OCSController extends \OCP\AppFramework\OCSController { throw new OCSForbiddenException(); } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + throw new OCSForbiddenException(); + } + $node = $share->getNode(); if ($node instanceof Folder) { $node = $node->get($path); @@ -214,6 +219,10 @@ class OCSController extends \OCP\AppFramework\OCSController { $node = $node->get($path); } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + return new DataResponse([], Http::STATUS_FORBIDDEN); + } + $direct = $this->directMapper->newDirect(null, $node->getId(), null, $shareToken, $initiatorServer, $initiatorToken); return new DataResponse([ diff --git a/lib/TokenManager.php b/lib/TokenManager.php index 503c25e9..8c563f73 100644 --- a/lib/TokenManager.php +++ b/lib/TokenManager.php @@ -26,12 +26,15 @@ use OCA\Richdocuments\Db\WopiMapper; use OCA\Richdocuments\Db\Wopi; use OCA\Richdocuments\Service\CapabilitiesService; use OCA\Richdocuments\WOPI\Parser; +use OCP\Constants; use OCP\Files\File; +use OCP\Files\ForbiddenException; use OCP\Files\IRootFolder; use OCP\Files\Node; use OCP\IGroupManager; use OCP\IURLGenerator; use OCP\IUserManager; +use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; use OCP\IL10N; use OCP\Share\IShare; @@ -107,6 +110,11 @@ class TokenManager { /** @var File $file */ $rootFolder = $this->rootFolder; $share = $this->shareManager->getShareByToken($shareToken); + + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + throw new ShareNotFound(); + } + $updatable = (bool)($share->getPermissions() & \OCP\Constants::PERMISSION_UPDATE); $hideDownload = $share->getHideDownload(); $owneruid = $share->getShareOwner(); @@ -202,16 +210,11 @@ class TokenManager { } $wopi = $this->wopiMapper->generateFileToken($fileId, $owneruid, $editoruid, $version, $updatable, $serverHost, $guestName, 0, $hideDownload, $direct, 0, $shareToken); - try { - - return [ - $this->wopiParser->getUrlSrc($file->getMimeType())['urlsrc'], // url src might not be found ehre - $wopi->getToken(), - $wopi - ]; - } catch (\Exception $e) { - throw $e; - } + return [ + $this->wopiParser->getUrlSrc($file->getMimeType())['urlsrc'], // url src might not be found ehre + $wopi->getToken(), + $wopi + ]; } /** diff --git a/tests/psalm-baseline.xml b/tests/psalm-baseline.xml index 9feb34b6..012ff820 100644 --- a/tests/psalm-baseline.xml +++ b/tests/psalm-baseline.xml @@ -262,11 +262,12 @@ <InvalidScalarArgument occurrences="1"> <code>$node->getId()</code> </InvalidScalarArgument> - <MissingDependency occurrences="4"> + <MissingDependency occurrences="5"> <code>$this->rootFolder</code> <code>$this->rootFolder</code> <code>IRootFolder</code> <code>IRootFolder</code> + <code>ShareNotFound</code> </MissingDependency> <NullArgument occurrences="1"> <code>null</code> |