diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/Controller/DocumentController.php | 8 | ||||
| -rw-r--r-- | lib/Controller/OCSController.php | 24 | ||||
| -rw-r--r-- | lib/TokenManager.php | 23 |
3 files changed, 43 insertions, 12 deletions
diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php index f315ccdd..664d17a3 100644 --- a/lib/Controller/DocumentController.php +++ b/lib/Controller/DocumentController.php @@ -333,6 +333,10 @@ class DocumentController extends Controller { } } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + return new TemplateResponse('core', '403', [], 'guest'); + } + $node = $share->getNode(); if($node instanceof Folder) { $item = $node->getById($fileId)[0]; @@ -451,6 +455,10 @@ class DocumentController extends Controller { } } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + return new TemplateResponse('core', '403', [], 'guest'); + } + $node = $share->getNode(); if ($filePath !== null) { $node = $node->get($filePath); diff --git a/lib/Controller/OCSController.php b/lib/Controller/OCSController.php index 3294ea67..dfe8a16f 100644 --- a/lib/Controller/OCSController.php +++ b/lib/Controller/OCSController.php @@ -32,6 +32,7 @@ use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSBadRequestException; use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\AppFramework\OCS\OCSNotFoundException; +use OCP\Constants; use OCP\Files\File; use OCP\Files\Folder; use OCP\Files\IRootFolder; @@ -39,6 +40,7 @@ use OCP\Files\Node; use OCP\Files\NotFoundException; use OCP\IRequest; use OCP\IURLGenerator; +use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; class OCSController extends \OCP\AppFramework\OCSController { @@ -168,6 +170,10 @@ class OCSController extends \OCP\AppFramework\OCSController { throw new OCSForbiddenException(); } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + throw new OCSForbiddenException(); + } + $node = $share->getNode(); if ($node instanceof Folder) { $node = $node->get($path); @@ -184,6 +190,7 @@ class OCSController extends \OCP\AppFramework\OCSController { /** * @PublicPage * @NoCSRFRequired + * @BruteForceProtection(action=richdocumentsCreatePublicFromInitiator) * @throws OCSForbiddenException */ public function createPublicFromInitiator( @@ -193,9 +200,18 @@ class OCSController extends \OCP\AppFramework\OCSController { string $path = '', string $password = null ): DataResponse { - $share = $this->shareManager->getShareByToken($shareToken); + try { + $share = $this->shareManager->getShareByToken($shareToken); + } catch (ShareNotFound $ex) { + $response = new DataResponse([], HTTP::STATUS_NOT_FOUND); + $response->throttle(); + return $response; + } + if ($share->getPassword() && !$this->shareManager->checkPassword($share, $password)) { - throw new OCSForbiddenException(); + $response = new DataResponse([], HTTP::STATUS_FORBIDDEN); + $response->throttle(); + return $response; } $node = $share->getNode(); @@ -203,6 +219,10 @@ class OCSController extends \OCP\AppFramework\OCSController { $node = $node->get($path); } + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + return new DataResponse([], Http::STATUS_FORBIDDEN); + } + $direct = $this->directMapper->newDirect(null, $node->getId(), null, $shareToken, $initiatorServer, $initiatorToken); return new DataResponse([ diff --git a/lib/TokenManager.php b/lib/TokenManager.php index 503c25e9..8c563f73 100644 --- a/lib/TokenManager.php +++ b/lib/TokenManager.php @@ -26,12 +26,15 @@ use OCA\Richdocuments\Db\WopiMapper; use OCA\Richdocuments\Db\Wopi; use OCA\Richdocuments\Service\CapabilitiesService; use OCA\Richdocuments\WOPI\Parser; +use OCP\Constants; use OCP\Files\File; +use OCP\Files\ForbiddenException; use OCP\Files\IRootFolder; use OCP\Files\Node; use OCP\IGroupManager; use OCP\IURLGenerator; use OCP\IUserManager; +use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; use OCP\IL10N; use OCP\Share\IShare; @@ -107,6 +110,11 @@ class TokenManager { /** @var File $file */ $rootFolder = $this->rootFolder; $share = $this->shareManager->getShareByToken($shareToken); + + if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) { + throw new ShareNotFound(); + } + $updatable = (bool)($share->getPermissions() & \OCP\Constants::PERMISSION_UPDATE); $hideDownload = $share->getHideDownload(); $owneruid = $share->getShareOwner(); @@ -202,16 +210,11 @@ class TokenManager { } $wopi = $this->wopiMapper->generateFileToken($fileId, $owneruid, $editoruid, $version, $updatable, $serverHost, $guestName, 0, $hideDownload, $direct, 0, $shareToken); - try { - - return [ - $this->wopiParser->getUrlSrc($file->getMimeType())['urlsrc'], // url src might not be found ehre - $wopi->getToken(), - $wopi - ]; - } catch (\Exception $e) { - throw $e; - } + return [ + $this->wopiParser->getUrlSrc($file->getMimeType())['urlsrc'], // url src might not be found ehre + $wopi->getToken(), + $wopi + ]; } /** |