From: Julius Härtl <jus@bitgrid.net>
Date: Tue, 25 Oct 2022 07:15:39 +0000 (+0200)
Subject: Check share attributes on preview endpoints
X-Git-Tag: v26.0.0beta1~518^2
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1;p=nextcloud-server.git

Check share attributes on preview endpoints

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---

diff --git a/apps/files_sharing/lib/Controller/PublicPreviewController.php b/apps/files_sharing/lib/Controller/PublicPreviewController.php
index 98c4d8cafb4..ee11cf5f3f0 100644
--- a/apps/files_sharing/lib/Controller/PublicPreviewController.php
+++ b/apps/files_sharing/lib/Controller/PublicPreviewController.php
@@ -109,6 +109,11 @@ class PublicPreviewController extends PublicShareController {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {
@@ -159,6 +164,11 @@ class PublicPreviewController extends PublicShareController {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {
diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php
index 85dedd0bf68..9b3acaae013 100644
--- a/core/Controller/PreviewController.php
+++ b/core/Controller/PreviewController.php
@@ -27,6 +27,7 @@ declare(strict_types=1);
  */
 namespace OC\Core\Controller;
 
+use OCA\Files_Sharing\SharedStorage;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
@@ -129,6 +130,16 @@ class PreviewController extends Controller {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$storage = $node->getStorage();
+		if ($storage->instanceOfStorage(SharedStorage::class)) {
+			/** @var SharedStorage $storage */
+			$share = $storage->getShare();
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+				return new DataResponse([], Http::STATUS_FORBIDDEN);
+			}
+		}
+
 		try {
 			$f = $this->preview->getPreview($node, $x, $y, !$a, $mode);
 			$response = new FileDisplayResponse($f, Http::STATUS_OK, [
diff --git a/tests/Core/Controller/PreviewControllerTest.php b/tests/Core/Controller/PreviewControllerTest.php
index 704ddade7a4..e6045386538 100644
--- a/tests/Core/Controller/PreviewControllerTest.php
+++ b/tests/Core/Controller/PreviewControllerTest.php
@@ -32,6 +32,7 @@ use OCP\Files\Folder;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\Files\SimpleFS\ISimpleFile;
+use OCP\Files\Storage\IStorage;
 use OCP\IPreview;
 use OCP\IRequest;
 
@@ -176,6 +177,10 @@ class PreviewControllerTest extends \Test\TestCase {
 			->with($this->equalTo('file'))
 			->willReturn($file);
 
+		$storage = $this->createMock(IStorage::class);
+		$file->method('getStorage')
+			->willReturn($storage);
+
 		$this->previewManager->method('isAvailable')
 			->with($this->equalTo($file))
 			->willReturn(true);
@@ -211,6 +216,10 @@ class PreviewControllerTest extends \Test\TestCase {
 		$file->method('isReadable')
 			->willReturn(true);
 
+		$storage = $this->createMock(IStorage::class);
+		$file->method('getStorage')
+			->willReturn($storage);
+
 		$preview = $this->createMock(ISimpleFile::class);
 		$preview->method('getName')->willReturn('my name');
 		$preview->method('getMTime')->willReturn(42);