diff options
| author | Joas Schilling <coding@schilljs.com> | 2019-08-16 22:10:00 +0300 |
|---|---|---|
| committer | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2019-09-26 11:54:28 +0300 |
| commit | 41a15569570b1b1208d7a4c2221fb0a9efcb2711 (patch) | |
| tree | e93619febb0594e92d15f1f64cf5aceecc53ecff /lib/Controller | |
| parent | b4a2907146daf30913208e9848a8c133b2dc666c (diff) | |
Correctly check if the share has a password and if it was entered correctly.
This prevents joining the room for a file shared by link and protected
by password if the password has not been entered yet.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'lib/Controller')
| -rw-r--r-- | lib/Controller/PublicShareController.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/lib/Controller/PublicShareController.php b/lib/Controller/PublicShareController.php index 54b8e8acd..ab7f6f395 100644 --- a/lib/Controller/PublicShareController.php +++ b/lib/Controller/PublicShareController.php @@ -33,6 +33,7 @@ use OCP\AppFramework\OCSController; use OCP\Files\FileInfo; use OCP\Files\NotFoundException; use OCP\IRequest; +use OCP\ISession; use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager as ShareManager; use OCP\Share\IShare; @@ -41,6 +42,8 @@ class PublicShareController extends OCSController { /** @var ShareManager */ private $shareManager; + /** @var ISession */ + private $session; /** @var TalkSession */ private $talkSession; /** @var Manager */ @@ -50,11 +53,13 @@ class PublicShareController extends OCSController { $appName, IRequest $request, ShareManager $shareManager, + ISession $session, TalkSession $talkSession, Manager $manager ) { parent::__construct($appName, $request); $this->shareManager = $shareManager; + $this->session = $session; $this->talkSession = $talkSession; $this->manager = $manager; } @@ -89,6 +94,12 @@ class PublicShareController extends OCSController { public function getRoom(string $shareToken) { try { $share = $this->shareManager->getShareByToken($shareToken); + if ($share->getPassword() !== null) { + $shareId = $this->session->get('public_link_authenticated'); + if ($share->getId() !== $shareId) { + throw new ShareNotFound(); + } + } } catch (ShareNotFound $e) { return new DataResponse([], Http::STATUS_NOT_FOUND); } |