Merge pull request #1018 from nextcloud/backport/1016/stable18

[stable18] Harden read only check on public endpoints
author: Julius Härtl <jus@bitgrid.net> 2020-09-07 08:54:08 +0300
committer: GitHub <noreply@github.com> 2020-09-07 08:54:08 +0300
commit: b62b6efa3ca9b18ec0135f9c12ff4352cf312792 (patch)
tree: accc9a7ecd0a6f74b06633587dfc20640977226d
parent: deda0a5690d2159055afe2cf81efff8295a5d53c (diff)
parent: d93fbc5476fde6124a7048bfc398a685d9fb90fc (diff)
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php
index 93f877317..4162a0a6d 100644
--- a/lib/Service/ApiService.php
+++ b/lib/Service/ApiService.php
@@ -32,6 +32,7 @@ use OCA\Activity\Data;
 use OCA\Text\DocumentHasUnsavedChangesException;
 use OCA\Text\DocumentSaveConflictException;
 use OCA\Text\VersionMismatchException;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
@@ -63,6 +64,17 @@ class ApiService {
 			/** @var File $file */
 			if ($token) {
 				$file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath'));
+
+				/*
+				 * Check if we have proper read access (files drop)
+				 * If not then well 404 it is.
+				 */
+				try {
+					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ);
+				} catch (NotFoundException $e) {
+					return new DataResponse([], Http::STATUS_NOT_FOUND);
+				}
+
 				try {
 					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE);
 					$readOnly = false;
author	Julius Härtl <jus@bitgrid.net>	2020-09-07 08:54:08 +0300
committer	GitHub <noreply@github.com>	2020-09-07 08:54:08 +0300
commit	b62b6efa3ca9b18ec0135f9c12ff4352cf312792 (patch)
tree	accc9a7ecd0a6f74b06633587dfc20640977226d
parent	deda0a5690d2159055afe2cf81efff8295a5d53c (diff)
parent	d93fbc5476fde6124a7048bfc398a685d9fb90fc (diff)