diff options
| author | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2020-11-24 12:13:30 +0300 |
|---|---|---|
| committer | Daniel Calviño Sánchez <danxuliu@gmail.com> | 2020-11-24 20:59:54 +0300 |
| commit | 630e2f4acb89b90c6ba718d240b4f0a92dce317a (patch) | |
| tree | 54d0addab7926a39af8a1d6c8b084d36bcc43643 /lib/PublicShareAuth | |
| parent | 88aa97a5f90cad4f74d0a986f5f1dc1aba4f3c8d (diff) | |
Fix owner being able to add more users to a password request room
Only the owner and another participant will be allowed to join a
password request room, so there is no point in being able to add more
participants to those rooms.
Although throwing the exception in the listener is enough to prevent
adding the participants unhandled exceptions in the endpoint are
returned as error 404, but the expected error would be 400. To minimize
conflicts with other pull requests and backports it is explicitly
checked if the room is a password request room instead of refactoring
the code to handle the exception.
Signed-off-by: Daniel Calviño Sánchez <danxuliu@gmail.com>
Diffstat (limited to 'lib/PublicShareAuth')
| -rw-r--r-- | lib/PublicShareAuth/Listener.php | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/lib/PublicShareAuth/Listener.php b/lib/PublicShareAuth/Listener.php index 345b2c283..01c47fdfd 100644 --- a/lib/PublicShareAuth/Listener.php +++ b/lib/PublicShareAuth/Listener.php @@ -24,6 +24,7 @@ declare(strict_types=1); namespace OCA\Talk\PublicShareAuth; +use OCA\Talk\Events\AddParticipantsEvent; use OCA\Talk\Events\JoinRoomGuestEvent; use OCA\Talk\Events\JoinRoomUserEvent; use OCA\Talk\Events\RoomEvent; @@ -58,6 +59,11 @@ class Listener { }; $dispatcher->addListener(Room::EVENT_BEFORE_GUEST_CONNECT, $listener); + $listener = static function (AddParticipantsEvent $event) { + self::preventExtraUsersFromBeingAdded($event->getRoom(), $event->getParticipants()); + }; + $dispatcher->addListener(Room::EVENT_BEFORE_USERS_ADD, $listener); + $listener = static function (RoomEvent $event) { self::destroyRoomOnParticipantLeave($event->getRoom()); }; @@ -117,6 +123,34 @@ class Listener { } /** + * Prevents other users from being added to the room (as they will not be + * able to join). + * + * This method should be called before a user is added to a room. + * + * @param Room $room + * @param array[] $participants + * @throws \OverflowException + */ + public static function preventExtraUsersFromBeingAdded(Room $room, array $participants): void { + if ($room->getObjectType() !== 'share:password') { + return; + } + + // Events with more than one participant can be directly aborted, as + // when the owner is added during room creation or a user self-joins the + // event will always have just one participant. + if (count($participants) > 1) { + throw new \OverflowException('Only the owner and another participant are allowed in rooms to request the password for a share'); + } + + $participant = $participants[0]; + if ($participant['participantType'] !== Participant::OWNER && $participant['participantType'] !== Participant::USER_SELF_JOINED) { + throw new \OverflowException('Only the owner and another participant are allowed in rooms to request the password for a share'); + } + } + + /** * Destroys the PublicShareAuth room as soon as one of the participant * leaves the room. * |