From d93fbc5476fde6124a7048bfc398a685d9fb90fc Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Sun, 6 Sep 2020 20:54:03 +0200
Subject: Harden read only check on public endpoints

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/Service/ApiService.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php
index 93f877317..4162a0a6d 100644
--- a/lib/Service/ApiService.php
+++ b/lib/Service/ApiService.php
@@ -32,6 +32,7 @@ use OCA\Activity\Data;
 use OCA\Text\DocumentHasUnsavedChangesException;
 use OCA\Text\DocumentSaveConflictException;
 use OCA\Text\VersionMismatchException;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
@@ -63,6 +64,17 @@ class ApiService {
 			/** @var File $file */
 			if ($token) {
 				$file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath'));
+
+				/*
+				 * Check if we have proper read access (files drop)
+				 * If not then well 404 it is.
+				 */
+				try {
+					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ);
+				} catch (NotFoundException $e) {
+					return new DataResponse([], Http::STATUS_NOT_FOUND);
+				}
+
 				try {
 					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE);
 					$readOnly = false;
-- 
cgit v1.2.3