diff options
author | Julius Härtl <jus@bitgrid.net> | 2020-09-07 08:01:44 +0300 |
---|---|---|
committer | GitHub <noreply@github.com> | 2020-09-07 08:01:44 +0300 |
commit | f81b55e960f5dd5b801f6ed90b33d5641eb7b83e (patch) | |
tree | ea747dc295b93c491b1cc348f6d1851cb3137681 | |
parent | 79fce82f5217897af86794a9f27f3ae1d706d53b (diff) | |
parent | 3d608de733016c72d60669e538fc7b117c66d860 (diff) |
Merge pull request #1016 from nextcloud/enh/check_ro_public_shares
Harden read only check on public endpoints
-rw-r--r-- | lib/Service/ApiService.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php index 097e6a39e..d318c1520 100644 --- a/lib/Service/ApiService.php +++ b/lib/Service/ApiService.php @@ -32,6 +32,7 @@ use OCA\Activity\Data; use OCA\Text\DocumentHasUnsavedChangesException; use OCA\Text\DocumentSaveConflictException; use OCA\Text\VersionMismatchException; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\NotFoundResponse; @@ -63,6 +64,17 @@ class ApiService { /** @var File $file */ if ($token) { $file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath')); + + /* + * Check if we have proper read access (files drop) + * If not then well 404 it is. + */ + try { + $this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ); + } catch (NotFoundException $e) { + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + try { $this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE); $readOnly = false; |