diff options
author | Roeland Jago Douma <roeland@famdouma.nl> | 2020-09-06 21:54:03 +0300 |
---|---|---|
committer | backportbot[bot] <backportbot[bot]@users.noreply.github.com> | 2020-09-07 08:01:59 +0300 |
commit | e69c6d71f9ce712fd32523a0946eec13880b6603 (patch) | |
tree | 9ed5d8ef594c9a5bac825aab2cade97acb159a29 /lib | |
parent | 7a24fa7098a89f5f8a957b46281b2ffb83a5901b (diff) |
Harden read only check on public endpoints
Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
Diffstat (limited to 'lib')
-rw-r--r-- | lib/Service/ApiService.php | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php index 097e6a39e..d318c1520 100644 --- a/lib/Service/ApiService.php +++ b/lib/Service/ApiService.php @@ -32,6 +32,7 @@ use OCA\Activity\Data; use OCA\Text\DocumentHasUnsavedChangesException; use OCA\Text\DocumentSaveConflictException; use OCA\Text\VersionMismatchException; +use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\FileDisplayResponse; use OCP\AppFramework\Http\NotFoundResponse; @@ -63,6 +64,17 @@ class ApiService { /** @var File $file */ if ($token) { $file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath')); + + /* + * Check if we have proper read access (files drop) + * If not then well 404 it is. + */ + try { + $this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ); + } catch (NotFoundException $e) { + return new DataResponse([], Http::STATUS_NOT_FOUND); + } + try { $this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE); $readOnly = false; |