Skip to content

Commit

Permalink
fix: Apply checks on shares in the middleware
Browse files Browse the repository at this point in the history
Signed-off-by: Julius Härtl <[email protected]>
Signed-off-by: Max <[email protected]>
  • Loading branch information
juliusknorr authored and max-nextcloud committed Oct 9, 2024
1 parent 3d096d8 commit 0181efe
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions lib/Service/AttachmentService.php
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,7 @@
use OCP\Files\NotPermittedException;
use OCP\Files\SimpleFS\ISimpleFile;
use OCP\IPreview;
use OCP\ISession;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IShare;
use OCP\Util;
Expand All @@ -59,6 +60,10 @@ class AttachmentService {
* @var IPreview
*/
private $previewManager;
/**
* @var ISession
*/
private $session;
/**
* @var IMimeTypeDetector
*/
Expand All @@ -67,10 +72,12 @@ class AttachmentService {
public function __construct(IRootFolder $rootFolder,
ShareManager $shareManager,
IPreview $previewManager,
ISession $session,
IMimeTypeDetector $mimeTypeDetector) {
$this->rootFolder = $rootFolder;
$this->shareManager = $shareManager;
$this->previewManager = $previewManager;
$this->session = $session;
$this->mimeTypeDetector = $mimeTypeDetector;
}

Expand Down Expand Up @@ -545,6 +552,27 @@ private function getTextFilePublic(?int $documentId, string $shareToken): File {
try {
$share = $this->shareManager->getShareByToken($shareToken);
if ($share->getShareType() === IShare::TYPE_LINK) {

// check for password if required
/** @psalm-suppress RedundantConditionGivenDocblockType */
if ($share->getPassword() !== null) {
$shareId = $this->session->get('public_link_authenticated');
if ($share->getId() !== $shareId) {
throw new InvalidSessionException();
}
}

// check read permission
if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
throw new InvalidSessionException();
}

// check download permission
$attributes = $share->getAttributes();
if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
throw new InvalidSessionException();
}

// shared file or folder?
if ($share->getNodeType() === 'file') {
$textFile = $share->getNode();
Expand Down

0 comments on commit 0181efe

Please sign in to comment.