Check for share token permissions

Signed-off-by: Julius Härtl <jus@bitgrid.net>

3 files changed, 30 insertions, 10 deletions

diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php
index f315ccdd..664d17a3 100644
--- a/lib/Controller/DocumentController.php
+++ b/lib/Controller/DocumentController.php
@@ -333,6 +333,10 @@ class DocumentController extends Controller {
 				}
 			}
 
+			if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+				return new TemplateResponse('core', '403', [], 'guest');
+			}
+
 			$node = $share->getNode();
 			if($node instanceof Folder) {
 				$item = $node->getById($fileId)[0];
@@ -451,6 +455,10 @@ class DocumentController extends Controller {
 				}
 			}
 
+			if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+				return new TemplateResponse('core', '403', [], 'guest');
+			}
+
 			$node = $share->getNode();
 			if ($filePath !== null) {
 				$node = $node->get($filePath);
diff --git a/lib/Controller/OCSController.php b/lib/Controller/OCSController.php
index 20927f4f..dfe8a16f 100644
--- a/lib/Controller/OCSController.php
+++ b/lib/Controller/OCSController.php
@@ -32,6 +32,7 @@ use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSBadRequestException;
 use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\AppFramework\OCS\OCSNotFoundException;
+use OCP\Constants;
 use OCP\Files\File;
 use OCP\Files\Folder;
 use OCP\Files\IRootFolder;
@@ -169,6 +170,10 @@ class OCSController extends \OCP\AppFramework\OCSController {
 			throw new OCSForbiddenException();
 		}
 
+		if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+			throw new OCSForbiddenException();
+		}
+
 		$node = $share->getNode();
 		if ($node instanceof Folder) {
 			$node = $node->get($path);
@@ -214,6 +219,10 @@ class OCSController extends \OCP\AppFramework\OCSController {
 			$node = $node->get($path);
 		}
 
+		if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$direct = $this->directMapper->newDirect(null, $node->getId(), null, $shareToken, $initiatorServer, $initiatorToken);
 
 		return new DataResponse([
diff --git a/lib/TokenManager.php b/lib/TokenManager.php
index 503c25e9..8c563f73 100644
--- a/lib/TokenManager.php
+++ b/lib/TokenManager.php
@@ -26,12 +26,15 @@ use OCA\Richdocuments\Db\WopiMapper;
 use OCA\Richdocuments\Db\Wopi;
 use OCA\Richdocuments\Service\CapabilitiesService;
 use OCA\Richdocuments\WOPI\Parser;
+use OCP\Constants;
 use OCP\Files\File;
+use OCP\Files\ForbiddenException;
 use OCP\Files\IRootFolder;
 use OCP\Files\Node;
 use OCP\IGroupManager;
 use OCP\IURLGenerator;
 use OCP\IUserManager;
+use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager;
 use OCP\IL10N;
 use OCP\Share\IShare;
@@ -107,6 +110,11 @@ class TokenManager {
 			/** @var File $file */
 			$rootFolder = $this->rootFolder;
 			$share = $this->shareManager->getShareByToken($shareToken);
+
+			if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+				throw new ShareNotFound();
+			}
+
 			$updatable = (bool)($share->getPermissions() & \OCP\Constants::PERMISSION_UPDATE);
 			$hideDownload = $share->getHideDownload();
 			$owneruid = $share->getShareOwner();
@@ -202,16 +210,11 @@ class TokenManager {
 		}
 		$wopi = $this->wopiMapper->generateFileToken($fileId, $owneruid, $editoruid, $version, $updatable, $serverHost, $guestName, 0, $hideDownload, $direct, 0, $shareToken);
 
-		try {
-
-			return [
-				$this->wopiParser->getUrlSrc($file->getMimeType())['urlsrc'], // url src might not be found ehre
-				$wopi->getToken(),
-				$wopi
-			];
-		} catch (\Exception $e) {
-			throw $e;
-		}
+		return [
+			$this->wopiParser->getUrlSrc($file->getMimeType())['urlsrc'], // url src might not be found ehre
+			$wopi->getToken(),
+			$wopi
+		];
 	}
 
 	/**