Merge pull request #2048 from nextcloud/bugfix/noid/collections

Correctly check if a user has access to a conversation

2 files changed, 82 insertions, 2 deletions

diff --git a/lib/Collaboration/Resources/ConversationProvider.php b/lib/Collaboration/Resources/ConversationProvider.php
index 549034325..6621a13b6 100644
--- a/lib/Collaboration/Resources/ConversationProvider.php
+++ b/lib/Collaboration/Resources/ConversationProvider.php
@@ -22,8 +22,10 @@ declare(strict_types=1);
 
 namespace OCA\Spreed\Collaboration\Resources;
 
+use OCA\Spreed\Exceptions\ParticipantNotFoundException;
 use OCA\Spreed\Exceptions\RoomNotFoundException;
 use OCA\Spreed\Manager;
+use OCA\Spreed\Participant;
 use OCA\Spreed\Room;
 use OCP\Collaboration\Resources\IProvider;
 use OCP\Collaboration\Resources\IResource;
@@ -76,14 +78,25 @@ class ConversationProvider implements IProvider {
 	}
 
 	public function canAccessResource(IResource $resource, IUser $user = null): bool {
+		$userId = $user instanceof IUser ? $user->getUID() : null;
+		if ($userId === null) {
+			throw new ResourceException('Guests are not supported at the moment');
+		}
+
 		try {
 			$room = $this->manager->getRoomForParticipantByToken(
 				$resource->getId(),
-				$user instanceof IUser ? $user->getUID() : null
+				$userId
 			);
-			return $user instanceof IUser || $room->getType() === Room::PUBLIC_CALL;
+
+			// Logged in users need to have a regular participant,
+			// before they can do anything with the room.
+			$participant = $room->getParticipant($userId);
+			return $participant->getParticipantType() !== Participant::USER_SELF_JOINED;
 		} catch (RoomNotFoundException $e) {
 			throw new ResourceException('Conversation not found');
+		} catch (ParticipantNotFoundException $e) {
+			throw new ResourceException('Participant not found');
 		}
 	}
 
diff --git a/lib/Migration/ClearResourceAccessCache.php b/lib/Migration/ClearResourceAccessCache.php
new file mode 100644
index 000000000..9a2d45ad9
--- /dev/null
+++ b/lib/Migration/ClearResourceAccessCache.php
@@ -0,0 +1,67 @@
+<?php
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2019, Joas Schilling <coding@schilljs.com>
+ *
+ * @author Joas Schilling <coding@schilljs.com>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ *
+ */
+
+namespace OCA\Spreed\Migration;
+
+use OCA\Spreed\Collaboration\Resources\ConversationProvider;
+use OCP\Collaboration\Resources\IManager;
+use OCP\IConfig;
+use OCP\Migration\IOutput;
+use OCP\Migration\IRepairStep;
+
+class ClearResourceAccessCache implements IRepairStep {
+
+	protected const INVALIDATIONS = 1;
+
+	/** @var IConfig */
+	protected $config;
+	/** @var IManager */
+	protected $manager;
+	/** @var ConversationProvider */
+	protected $provider;
+
+	public function __construct(IConfig $config,
+								IManager $manager,
+								ConversationProvider $provider) {
+		$this->config = $config;
+		$this->manager = $manager;
+		$this->provider = $provider;
+	}
+
+	public function getName(): string {
+		return 'Invalidate access cache for projects conversation provider';
+	}
+
+	public function run(IOutput $output): void {
+		$invalidatedCache = (int) $this->config->getAppValue('spreed', 'project_access_invalidated', '0');
+
+		if ($invalidatedCache === self::INVALIDATIONS) {
+			$output->info('Invalidation not required');
+			return;
+		}
+
+		$this->manager->invalidateAccessCacheForProvider($this->provider);
+		$this->config->setAppValue('spreed', 'project_access_invalidated', (string) self::INVALIDATIONS);
+	}
+}