From 3cfb4cbf94be0f4da1fd7e84b0e37aeb623d9690 Mon Sep 17 00:00:00 2001 From: Vincent Petry Date: Mon, 13 Jun 2022 15:50:43 +0200 Subject: Block download when needed on direct download endpoint Signed-off-by: Vincent Petry --- apps/dav/lib/Controller/DirectController.php | 16 +++++++++++++++- apps/files_sharing/lib/AppInfo/Application.php | 2 ++ 2 files changed, 17 insertions(+), 1 deletion(-) (limited to 'apps') diff --git a/apps/dav/lib/Controller/DirectController.php b/apps/dav/lib/Controller/DirectController.php index 955400998cf..260ef3bae04 100644 --- a/apps/dav/lib/Controller/DirectController.php +++ b/apps/dav/lib/Controller/DirectController.php @@ -31,8 +31,11 @@ use OCA\DAV\Db\DirectMapper; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCS\OCSBadRequestException; use OCP\AppFramework\OCS\OCSNotFoundException; +use OCP\AppFramework\OCS\OCSForbiddenException; use OCP\AppFramework\OCSController; use OCP\AppFramework\Utility\ITimeFactory; +use OCP\EventDispatcher\GenericEvent; +use OCP\EventDispatcher\IEventDispatcher; use OCP\Files\File; use OCP\Files\IRootFolder; use OCP\IRequest; @@ -59,6 +62,8 @@ class DirectController extends OCSController { /** @var IURLGenerator */ private $urlGenerator; + /** @var IEventDispatcher */ + private $eventDispatcher; public function __construct(string $appName, IRequest $request, @@ -67,7 +72,8 @@ class DirectController extends OCSController { DirectMapper $mapper, ISecureRandom $random, ITimeFactory $timeFactory, - IURLGenerator $urlGenerator) { + IURLGenerator $urlGenerator, + IEventDispatcher $eventDispatcher) { parent::__construct($appName, $request); $this->rootFolder = $rootFolder; @@ -76,6 +82,7 @@ class DirectController extends OCSController { $this->random = $random; $this->timeFactory = $timeFactory; $this->urlGenerator = $urlGenerator; + $this->eventDispatcher = $eventDispatcher; } /** @@ -99,6 +106,13 @@ class DirectController extends OCSController { throw new OCSBadRequestException('Direct download only works for files'); } + $event = new GenericEvent(null, ['path' => $userFolder->getRelativePath($file->getPath())]); + $this->eventDispatcher->dispatch('file.beforeGetDirect', $event); + + if ($event->getArgument('run') === false) { + throw new OCSForbiddenException('Permission denied to download file'); + } + //TODO: at some point we should use the directdownlaod function of storages $direct = new Direct(); $direct->setUserId($this->userId); diff --git a/apps/files_sharing/lib/AppInfo/Application.php b/apps/files_sharing/lib/AppInfo/Application.php index 451d6b6557a..ae039520c5b 100644 --- a/apps/files_sharing/lib/AppInfo/Application.php +++ b/apps/files_sharing/lib/AppInfo/Application.php @@ -165,6 +165,7 @@ class Application extends App implements IBootstrap { 'file.beforeGetDirect', function (GenericEvent $event) use ($userSession, $rootFolder) { $pathsToCheck = [$event->getArgument('path')]; + $event->setArgument('run', true); // Check only for user/group shares. Don't restrict e.g. share links if ($userSession && $userSession->isLoggedIn()) { @@ -173,6 +174,7 @@ class Application extends App implements IBootstrap { $rootFolder->getUserFolder($uid) ); if (!$viewOnlyHandler->check($pathsToCheck)) { + $event->setArgument('run', false); $event->setArgument('errorMessage', 'Access to this resource or one of its sub-items has been denied.'); } } -- cgit v1.2.3