diff options
author | Julius Härtl <jus@bitgrid.net> | 2020-09-07 08:54:08 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-07 08:54:08 +0300 |
commit | b62b6efa3ca9b18ec0135f9c12ff4352cf312792 (patch) | |
tree | accc9a7ecd0a6f74b06633587dfc20640977226d | |
parent | deda0a5690d2159055afe2cf81efff8295a5d53c (diff) | |
parent | d93fbc5476fde6124a7048bfc398a685d9fb90fc (diff) |
Merge pull request #1018 from nextcloud/backport/1016/stable18
[stable18] Harden read only check on public endpoints
-rw-r--r-- | lib/Service/ApiService.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php index 93f877317..4162a0a6d 100644 --- a/lib/Service/ApiService.php +++ b/lib/Service/ApiService.php @@ -32,6 +32,7 @@ use OCA\Activity\Data; use OCA\Text\DocumentHasUnsavedChangesException; use OCA\Text\DocumentSaveConflictException; use OCA\Text\VersionMismatchException; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\NotFoundResponse; @@ -63,6 +64,17 @@ class ApiService { /** @var File $file */ if ($token) { $file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath')); + + /* + * Check if we have proper read access (files drop) + * If not then well 404 it is. + */ + try { + $this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ); + } catch (NotFoundException $e) { + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + try { $this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE); $readOnly = false; |