diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-09-06 21:54:03 +0300 |
---|---|---|
committer | Roeland Jago Douma <roeland@famdouma.nl> | 2020-09-06 21:54:03 +0300 |
commit | 3d608de733016c72d60669e538fc7b117c66d860 (patch) | |
tree | 8972625dc1d51393a260cc6efededad1be756390 | |
parent | 44d7dacaaba9136d64930c26008199d597a605eb (diff) |
Harden read only check on public endpoints
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
-rw-r--r-- | lib/Service/ApiService.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php index 097e6a39e..d318c1520 100644 --- a/lib/Service/ApiService.php +++ b/lib/Service/ApiService.php @@ -32,6 +32,7 @@ use OCA\Activity\Data; use OCA\Text\DocumentHasUnsavedChangesException; use OCA\Text\DocumentSaveConflictException; use OCA\Text\VersionMismatchException; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\NotFoundResponse; @@ -63,6 +64,17 @@ class ApiService { /** @var File $file */ if ($token) { $file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath')); + + /* + * Check if we have proper read access (files drop) + * If not then well 404 it is. + */ + try { + $this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ); + } catch (NotFoundException $e) { + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + try { $this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE); $readOnly = false; |