Check share attributes on preview endpoints

author Julius Härtl <jus@bitgrid.net>

Tue, 25 Oct 2022 07:15:39 +0000 (09:15 +0200)

committer Julius Härtl <jus@bitgrid.net>

Tue, 25 Oct 2022 09:35:31 +0000 (11:35 +0200)
author Julius Härtl <jus@bitgrid.net>
Tue, 25 Oct 2022 07:15:39 +0000 (09:15 +0200)
committer Julius Härtl <jus@bitgrid.net>
Tue, 25 Oct 2022 09:35:31 +0000 (11:35 +0200)
diff --git a/apps/files_sharing/lib/Controller/PublicPreviewController.php b/apps/files_sharing/lib/Controller/PublicPreviewController.php

index 98c4d8cafb407592e4308c53ead2bfd8fd2c646d..ee11cf5f3f0bfcfb52e152d4cc6039728d448f3d 100644 (file)
--- a/apps/files_sharing/lib/Controller/PublicPreviewController.php
+++ b/apps/files_sharing/lib/Controller/PublicPreviewController.php
@@ -109,6 +109,11 @@ class PublicPreviewController extends PublicShareController {
                         return new DataResponse([], Http::STATUS_FORBIDDEN);
                 }
  
+               $attributes = $share->getAttributes();
+               if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+                       return new DataResponse([], Http::STATUS_FORBIDDEN);
+               }
+
                 try {
                         $node = $share->getNode();
                         if ($node instanceof Folder) {
@@ -159,6 +164,11 @@ class PublicPreviewController extends PublicShareController {
                         return new DataResponse([], Http::STATUS_FORBIDDEN);
                 }
  
+               $attributes = $share->getAttributes();
+               if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+                       return new DataResponse([], Http::STATUS_FORBIDDEN);
+               }
+
                 try {
                         $node = $share->getNode();
                         if ($node instanceof Folder) {
diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php

index 85dedd0bf68c2344105f281bd88eac7eae8e4520..9b3acaae013002b2dbb5477d257096c285d9fa35 100644 (file)
--- a/core/Controller/PreviewController.php
+++ b/core/Controller/PreviewController.php
@@ -27,6 +27,7 @@ declare(strict_types=1);
   */
  namespace OC\Core\Controller;
  
+use OCA\Files_Sharing\SharedStorage;
  use OCP\AppFramework\Controller;
  use OCP\AppFramework\Http;
  use OCP\AppFramework\Http\DataResponse;
@@ -129,6 +130,16 @@ class PreviewController extends Controller {
                         return new DataResponse([], Http::STATUS_FORBIDDEN);
                 }
  
+               $storage = $node->getStorage();
+               if ($storage->instanceOfStorage(SharedStorage::class)) {
+                       /** @var SharedStorage $storage */
+                       $share = $storage->getShare();
+                       $attributes = $share->getAttributes();
+                       if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+                               return new DataResponse([], Http::STATUS_FORBIDDEN);
+                       }
+               }
+
                 try {
                         $f = $this->preview->getPreview($node, $x, $y, !$a, $mode);
                         $response = new FileDisplayResponse($f, Http::STATUS_OK, [
diff --git a/tests/Core/Controller/PreviewControllerTest.php b/tests/Core/Controller/PreviewControllerTest.php

index 704ddade7a420efd24ae3271a3d8b54cdf304eef..e6045386538ea0b197980fd7007546ae3014e640 100644 (file)
--- a/tests/Core/Controller/PreviewControllerTest.php
+++ b/tests/Core/Controller/PreviewControllerTest.php
@@ -32,6 +32,7 @@ use OCP\Files\Folder;
  use OCP\Files\IRootFolder;
  use OCP\Files\NotFoundException;
  use OCP\Files\SimpleFS\ISimpleFile;
+use OCP\Files\Storage\IStorage;
  use OCP\IPreview;
  use OCP\IRequest;
  
@@ -176,6 +177,10 @@ class PreviewControllerTest extends \Test\TestCase {
                         ->with($this->equalTo('file'))
                         ->willReturn($file);
  
+               $storage = $this->createMock(IStorage::class);
+               $file->method('getStorage')
+                       ->willReturn($storage);
+
                 $this->previewManager->method('isAvailable')
                         ->with($this->equalTo($file))
                         ->willReturn(true);
@@ -211,6 +216,10 @@ class PreviewControllerTest extends \Test\TestCase {
                 $file->method('isReadable')
                         ->willReturn(true);
  
+               $storage = $this->createMock(IStorage::class);
+               $file->method('getStorage')
+                       ->willReturn($storage);
+
                 $preview = $this->createMock(ISimpleFile::class);
                 $preview->method('getName')->willReturn('my name');
                 $preview->method('getMTime')->willReturn(42);
author	Julius Härtl <jus@bitgrid.net>
	Tue, 25 Oct 2022 07:15:39 +0000 (09:15 +0200)
committer	Julius Härtl <jus@bitgrid.net>
	Tue, 25 Oct 2022 09:35:31 +0000 (11:35 +0200)
apps/files_sharing/lib/Controller/PublicPreviewController.php		patch \| blob \| history
core/Controller/PreviewController.php		patch \| blob \| history
tests/Core/Controller/PreviewControllerTest.php		patch \| blob \| history