diff options
author | Julius Härtl <jus@bitgrid.net> | 2021-10-06 10:23:44 +0300 |
---|---|---|
committer | Julius Härtl <jus@bitgrid.net> | 2021-10-06 10:23:44 +0300 |
commit | 1414ae56209ef5d363a83396dd3c988bd111d6f0 (patch) | |
tree | 72dced468c14676a307cc40c62073d880fb8b8d0 /lib | |
parent | 31115d4cc2d67345cdcc0e745708d7be3859cd77 (diff) |
Additional checks for workspace controller
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Controller/WorkspaceController.php | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/lib/Controller/WorkspaceController.php b/lib/Controller/WorkspaceController.php index 4bffc6b49..4cde7e1f5 100644 --- a/lib/Controller/WorkspaceController.php +++ b/lib/Controller/WorkspaceController.php @@ -52,6 +52,7 @@ use OCA\Text\Service\WorkspaceService; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\OCSController; +use OCP\Constants; use OCP\DirectEditing\IManager as IDirectEditingManager; use OCP\DirectEditing\RegisterDirectEditorEvent; use OCP\EventDispatcher\IEventDispatcher; @@ -61,6 +62,7 @@ use OCP\Files\NotFoundException; use OCP\Files\NotPermittedException; use OCP\Files\StorageNotAvailableException; use OCP\IRequest; +use OCP\ISession; use OCP\IURLGenerator; use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; @@ -92,7 +94,10 @@ class WorkspaceController extends OCSController { /** @var LoggerInterface */ private $logger; - public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, $userId) { + /** @var ISession */ + private $session; + + public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, ISession $session, $userId) { parent::__construct($appName, $request); $this->rootFolder = $rootFolder; $this->shareManager = $shareManager; @@ -102,6 +107,7 @@ class WorkspaceController extends OCSController { $this->urlGenerator = $urlGenerator; $this->eventDispatcher = $eventDispatcher; $this->logger = $logger; + $this->session = $session; } /** @@ -155,6 +161,15 @@ class WorkspaceController extends OCSController { public function publicFolder(string $shareToken, string $path = '/'): DataResponse { try { $share = $this->shareManager->getShareByToken($shareToken); + if (!($share->getPermissions() & Constants::PERMISSION_READ)) { + throw new ShareNotFound(); + } + if ($share->getPassword() !== null) { + $shareId = $this->session->get('public_link_authenticated'); + if ($share->getId() !== $shareId) { + throw new ShareNotFound(); + } + } $folder = $share->getNode()->get($path); if ($folder instanceof Folder) { $file = $this->workspaceService->getFile($folder); |