[Sharing 2.0] Move authentication to the OCS API

apps/files_sharing/api/ocssharewrapper.php

@@ -41,7 +41,8 @@ class OCSShareWrapper {
 			\OC::$server->getUserManager(),
 			\OC::$server->getRequest(),
 			\OC::$server->getUserFolder(),
-			\OC::$server->getURLGenerator());
+			\OC::$server->getURLGenerator(),
+			\OC::$server->getUserSession()->getUser());
 	}
 
 	public function getAllShares($params) {

apps/files_sharing/api/share20ocs.php

@@ -22,35 +22,52 @@ namespace OCA\Files_Sharing\API;
 
 use OC\Share20\IShare;
 
+use OCP\IGroupManager;
+use OCP\IUserManager;
+use OCP\IRequest;
+use OCP\Files\Folder;
+use OCP\IURLGenerator;
+use OCP\IUser;
+
 class Share20OCS {
 
 	/** @var \OC\Share20\Manager */
 	private $shareManager;
 
-	/** @var \OCP\IGroupManager */
+	/** @var IGroupManager */
 	private $groupManager;
 
-	/** @var \OCP\IUserManager */
+	/** @var IUserManager */
 	private $userManager;
 
-	/** @var \OCP\IRequest */
+	/** @var IRequest */
 	private $request;
 
-	/** @var \OCP\Files\Folder */
+	/** @var Folder */
 	private $userFolder;
 
-	public function __construct(\OC\Share20\Manager $shareManager,
-	                            \OCP\IGroupManager $groupManager,
-	                            \OCP\IUserManager $userManager,
-	                            \OCP\IRequest $request,
-	                            \OCP\Files\Folder $userFolder,
-	                            \OCP\IURLGenerator $urlGenerator) {
+	/** @var IUrlGenerator */
+	private $urlGenerator;
+
+	/** @var IUser */
+	private $currentUser;
+
+	public function __construct(
+			\OC\Share20\Manager $shareManager,
+			\OCP\IGroupManager $groupManager,
+			\OCP\IUserManager $userManager,
+			\OCP\IRequest $request,
+			\OCP\Files\Folder $userFolder,
+			\OCP\IURLGenerator $urlGenerator,
+			\OCP\IUser $currentUser
+	) {
 		$this->shareManager = $shareManager;
 		$this->userManager = $userManager;
 		$this->groupManager = $groupManager;
 		$this->request = $request;
 		$this->userFolder = $userFolder;
 		$this->urlGenerator = $urlGenerator;
+		$this->currentUser = $currentUser;
 	}
 
 	/**
@@ -131,8 +148,12 @@ class Share20OCS {
 			return new \OC_OCS_Result(null, 404, 'wrong share ID, share doesn\'t exist.');
 		}
 
-		$share = $this->formatShare($share);
-		return new \OC_OCS_Result($share);
+		if ($this->canAccessShare($share)) {
+			$share = $this->formatShare($share);
+			return new \OC_OCS_Result($share);
+		} else {
+			return new \OC_OCS_Result(null, 404, 'wrong share ID, share doesn\'t exist.');
+		}
 	}
 
 	/**
@@ -156,6 +177,10 @@ class Share20OCS {
 			\OCA\Files_Sharing\API\Local::deleteShare(['id' => $id]);
 		}
 
+		if (!$this->canAccessShare($share)) {
+			return new \OC_OCS_Result(null, 404, 'could not delete share');
+		}
+
 		try {
 			$this->shareManager->deleteShare($share);
 		} catch (\OC\Share20\Exception\BackendError $e) {
@@ -164,4 +189,30 @@ class Share20OCS {
 
 		return new \OC_OCS_Result();
 	}
+
+	/**
+	 * @param IShare $share
+	 * @return bool
+	 */
+	protected function canAccessShare(IShare $share) {
+		// Owner of the file and the sharer of the file can always get share
+		if ($share->getShareOwner() === $this->currentUser ||
+			$share->getSharedBy() === $this->currentUser
+		) {
+			return true;
+		}
+
+		// If the share is shared with you (or a group you are a member of)
+		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER &&
+			$share->getSharedWith() === $this->currentUser) {
+			return true;
+		}
+
+		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP &&
+			$share->getSharedWith()->inGroup($this->currentUser)) {
+			return true;
+		}
+
+		return false;
+	}
 }

apps/files_sharing/tests/api/share20ocstest.php

@@ -20,28 +20,38 @@
  */
 namespace OCA\Files_Sharing\Tests\API;
 
+use OC\Share20\IShare;
 use OCA\Files_Sharing\API\Share20OCS;
+use OCP\IGroupManager;
+use OCP\IUserManager;
+use OCP\IRequest;
+use OCP\Files\Folder;
+use OCP\IURLGenerator;
+use OCP\IUser;
 
 class Share20OCSTest extends \Test\TestCase {
 
 	/** @var \OC\Share20\Manager */
 	private $shareManager;
 
-	/** @var \OCP\IGroupManager */
+	/** @var IGroupManager */
 	private $groupManager;
 
-	/** @var \OCP\IUserManager */
+	/** @var IUserManager */
 	private $userManager;
 
-	/** @var \OCP\IRequest */
+	/** @var IRequest */
 	private $request;
 
-	/** @var \OCP\Files\Folder */
+	/** @var Folder */
 	private $userFolder;
 
-	/** @var \OCP\IURLGenerator */
+	/** @var IURLGenerator */
 	private $urlGenerator;
 
+	/** @var IUser */
+	private $currentUser;
+
 	/** @var Share20OCS */
 	private $ocs;
 
@@ -54,13 +64,17 @@ class Share20OCSTest extends \Test\TestCase {
 		$this->request = $this->getMock('OCP\IRequest');
 		$this->userFolder = $this->getMock('OCP\Files\Folder');
 		$this->urlGenerator = $this->getMock('OCP\IURLGenerator');
-
-		$this->ocs = new Share20OCS($this->shareManager,
-									$this->groupManager,
-									$this->userManager,
-									$this->request,
-									$this->userFolder,
-									$this->urlGenerator);
+		$this->currentUser = $this->getMock('OCP\IUser');
+
+		$this->ocs = new Share20OCS(
+				$this->shareManager,
+				$this->groupManager,
+				$this->userManager,
+				$this->request,
+				$this->userFolder,
+				$this->urlGenerator,
+				$this->currentUser
+		);
 	}
 
 	public function testDeleteShareShareNotFound() {
@@ -76,6 +90,7 @@ class Share20OCSTest extends \Test\TestCase {
 
 	public function testDeleteShareCouldNotDelete() {
 		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareOwner')->willReturn($this->currentUser);
 		$this->shareManager
 			->expects($this->once())
 			->method('getShareById')
@@ -94,6 +109,7 @@ class Share20OCSTest extends \Test\TestCase {
 
 	public function testDeleteShare() {
 		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getSharedBy')->willReturn($this->currentUser);
 		$this->shareManager
 			->expects($this->once())
 			->method('getShareById')
@@ -244,42 +260,6 @@ class Share20OCSTest extends \Test\TestCase {
 		];
 		$data[] = [$share, $expected];
 
-		// Folder shared with remote
-		$share = $this->createShare(101, 
-									\OCP\Share::SHARE_TYPE_REMOTE,
-									'user@remote.com',
-									$owner,
-									$folder,
-									4,
-									5,
-									null,
-									6,
-									'target',
-									0);
-		$expected = [
-			'id' => 101,
-			'share_type' => \OCP\Share::SHARE_TYPE_REMOTE,
-			'share_with' => 'user@remote.com',
-			'share_with_displayname' => 'user@remote.com',
-			'uid_owner' => 'ownerId',
-			'displayname_owner' => 'ownerDisplay',
-			'item_type' => 'folder',
-			'item_source' => 2,
-			'file_source' => 2,
-			'file_target' => 'target',
-			'file_parent' => 3,
-			'token' => null,
-			'expiration' => null,
-			'permissions' => 4,
-			'stime' => 5,
-			'parent' => 6,
-			'storage_id' => 'STORAGE',
-			'path' => 'folder',
-			'storage' => null, // HACK around static function
-			'mail_send' => 0,
-		];
-		$data[] = [$share, $expected];
-
 		// File shared by link with Expire
 		$expire = \DateTime::createFromFormat('Y-m-d h:i:s', '2000-01-02 01:02:03');
 		$share = $this->createShare(101, 
@@ -327,6 +307,20 @@ class Share20OCSTest extends \Test\TestCase {
 	 * @dataProvider dataGetShare
 	 */
 	public function testGetShare(\OC\Share20\IShare $share, array $result) {
+		$ocs = $this->getMockBuilder('OCA\Files_Sharing\API\Share20OCS')
+				->setConstructorArgs([
+					$this->shareManager,
+					$this->groupManager,
+					$this->userManager,
+					$this->request,
+					$this->userFolder,
+					$this->urlGenerator,
+					$this->currentUser
+				])->setMethods(['canAccessShare'])
+				->getMock();
+
+		$ocs->method('canAccessShare')->willReturn(true);
+
 		$this->shareManager
 			->expects($this->once())
 			->method('getShareById')
@@ -342,5 +336,44 @@ class Share20OCSTest extends \Test\TestCase {
 			->willReturn('url');
 
 		$expected = new \OC_OCS_Result($result);
-		$this->assertEquals($expected->getData(), $this->ocs->getShare($share->getId())->getData());	}
+		$this->assertEquals($expected->getData(), $ocs->getShare($share->getId())->getData());
+	}
+
+	public function testCanAccessShare() {
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareOwner')->willReturn($this->currentUser);
+		$this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getSharedBy')->willReturn($this->currentUser);
+		$this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER);
+		$share->method('getSharedWith')->willReturn($this->currentUser);
+		$this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER);
+		$share->method('getSharedWith')->willReturn($this->getMock('OCP\IUser'));
+		$this->assertFalse($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_GROUP);
+		$group = $this->getMock('OCP\IGroup');
+		$group->method('inGroup')->with($this->currentUser)->willReturn(true);
+		$share->method('getSharedWith')->willReturn($group);
+		$this->assertTrue($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_GROUP);
+		$group = $this->getMock('OCP\IGroup');
+		$group->method('inGroup')->with($this->currentUser)->willReturn(false);
+		$share->method('getSharedWith')->willReturn($group);
+		$this->assertFalse($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+
+		$share = $this->getMock('OC\Share20\IShare');
+		$share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_LINK);
+		$this->assertFalse($this->invokePrivate($this->ocs, 'canAccessShare', [$share]));
+	}
 }