diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2025-02-18 14:30:13 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-02-18 14:30:13 +0100 |
| commit | fa7874f8cf4cf5e6184123d20f689da0287c92f3 (patch) | |
| tree | 263c17486663933559cb3f96aaae087fe76206ca | |
| parent | a80d7ce11db14659765fdc52f139c89a2a2b1717 (diff) | |
| parent | c19ce403f3ca0567645b7751df5b697509a460c2 (diff) | |
| download | nextcloud-server-fa7874f8cf4cf5e6184123d20f689da0287c92f3.tar.gz nextcloud-server-fa7874f8cf4cf5e6184123d20f689da0287c92f3.zip | |
Merge pull request #50873 from nextcloud/fix/download-perms
fix(files_sharing): block downloading if needed
| -rw-r--r-- | apps/files_sharing/lib/Controller/ShareController.php | 5 | ||||
| -rw-r--r-- | apps/files_sharing/tests/Controller/ShareControllerTest.php | 29 |
2 files changed, 34 insertions, 0 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php index 1c3c9534dde..cfd9628410e 100644 --- a/apps/files_sharing/lib/Controller/ShareController.php +++ b/apps/files_sharing/lib/Controller/ShareController.php @@ -359,6 +359,11 @@ class ShareController extends AuthPublicShareController { return new DataResponse('Share has no read permission'); } + $attributes = $share->getAttributes(); + if ($attributes?->getAttribute('permissions', 'download') === false) { + return new DataResponse('Share has no download permission'); + } + if (!$this->validateShare($share)) { throw new NotFoundException(); } diff --git a/apps/files_sharing/tests/Controller/ShareControllerTest.php b/apps/files_sharing/tests/Controller/ShareControllerTest.php index dae5a1d512a..0ed43da52cd 100644 --- a/apps/files_sharing/tests/Controller/ShareControllerTest.php +++ b/apps/files_sharing/tests/Controller/ShareControllerTest.php @@ -42,6 +42,7 @@ use OCP\IUserManager; use OCP\Security\ISecureRandom; use OCP\Server; use OCP\Share\Exceptions\ShareNotFound; +use OCP\Share\IAttributes; use OCP\Share\IPublicShareTemplateFactory; use OCP\Share\IShare; use PHPUnit\Framework\MockObject\MockObject; @@ -690,6 +691,34 @@ class ShareControllerTest extends \Test\TestCase { $this->assertEquals($expectedResponse, $response); } + public function testDownloadShareWithoutDownloadPermission(): void { + $attributes = $this->createMock(IAttributes::class); + $attributes->expects(self::once()) + ->method('getAttribute') + ->with('permissions', 'download') + ->willReturn(false); + + $share = $this->createMock(IShare::class); + $share->method('getPassword')->willReturn('password'); + $share->expects(self::once()) + ->method('getPermissions') + ->willReturn(Constants::PERMISSION_READ); + $share->expects(self::once()) + ->method('getAttributes') + ->willReturn($attributes); + + $this->shareManager + ->expects(self::once()) + ->method('getShareByToken') + ->with('validtoken') + ->willReturn($share); + + // Test with a password protected share and no authentication + $response = $this->shareController->downloadShare('validtoken'); + $expectedResponse = new DataResponse('Share has no download permission'); + $this->assertEquals($expectedResponse, $response); + } + public function testDisabledOwner(): void { $this->shareController->setToken('token'); |