diff options
| author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-09-06 21:54:03 +0300 |
|---|---|---|
| committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2020-09-07 08:02:16 +0300 |
| commit | d93fbc5476fde6124a7048bfc398a685d9fb90fc (patch) | |
| tree | accc9a7ecd0a6f74b06633587dfc20640977226d | |
| parent | deda0a5690d2159055afe2cf81efff8295a5d53c (diff) | |
Harden read only check on public endpoints
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
| -rw-r--r-- | lib/Service/ApiService.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php index 93f877317..4162a0a6d 100644 --- a/lib/Service/ApiService.php +++ b/lib/Service/ApiService.php @@ -32,6 +32,7 @@ use OCA\Activity\Data; use OCA\Text\DocumentHasUnsavedChangesException; use OCA\Text\DocumentSaveConflictException; use OCA\Text\VersionMismatchException; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\NotFoundResponse; @@ -63,6 +64,17 @@ class ApiService { /** @var File $file */ if ($token) { $file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath')); + + /* + * Check if we have proper read access (files drop) + * If not then well 404 it is. + */ + try { + $this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ); + } catch (NotFoundException $e) { + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + try { $this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE); $readOnly = false; |