diff options
| author | Vincent Petry <pvince81@owncloud.com> | 2016-02-01 18:18:17 +0100 |
|---|---|---|
| committer | Vincent Petry <pvince81@owncloud.com> | 2016-02-01 18:23:40 +0100 |
| commit | d72c0ffbc6c68f02c46d4060996738aabc869a6f (patch) | |
| tree | 09106c104b53bfe3e51a17c3c66b12923f663dd4 /apps/dav | |
| parent | b4853f3fce696b8b89f0dd898b25d7fde93e1a92 (diff) | |
| download | nextcloud-server-d72c0ffbc6c68f02c46d4060996738aabc869a6f.tar.gz nextcloud-server-d72c0ffbc6c68f02c46d4060996738aabc869a6f.zip | |
Make sure user has access to file for system tag operations
Fixes DAV's SystemTagsObjectTypeCollection to not give access to files
where the current user doesn't have access to.
Diffstat (limited to 'apps/dav')
6 files changed, 109 insertions, 13 deletions
diff --git a/apps/dav/lib/rootcollection.php b/apps/dav/lib/rootcollection.php index b7c2995dbad..5be469e7b0c 100644 --- a/apps/dav/lib/rootcollection.php +++ b/apps/dav/lib/rootcollection.php @@ -68,7 +68,8 @@ class RootCollection extends SimpleCollection { \OC::$server->getSystemTagManager(), \OC::$server->getSystemTagObjectMapper(), \OC::$server->getUserSession(), - \OC::$server->getGroupManager() + \OC::$server->getGroupManager(), + \OC::$server->getRootFolder() ); $commentsCollection = new Comments\RootCollection( \OC::$server->getCommentsManager(), diff --git a/apps/dav/lib/systemtag/systemtagplugin.php b/apps/dav/lib/systemtag/systemtagplugin.php index 4636ed428b1..3348b431c47 100644 --- a/apps/dav/lib/systemtag/systemtagplugin.php +++ b/apps/dav/lib/systemtag/systemtagplugin.php @@ -104,12 +104,7 @@ class SystemTagPlugin extends \Sabre\DAV\ServerPlugin { $path = $request->getPath(); // Making sure the node exists - try { - $node = $this->server->tree->getNodeForPath($path); - } catch (NotFound $e) { - return null; - } - + $node = $this->server->tree->getNodeForPath($path); if ($node instanceof SystemTagsByIdCollection || $node instanceof SystemTagsObjectMappingCollection) { $data = $request->getBodyAsString(); diff --git a/apps/dav/lib/systemtag/systemtagsobjecttypecollection.php b/apps/dav/lib/systemtag/systemtagsobjecttypecollection.php index 166e3219bc1..93cc7561928 100644 --- a/apps/dav/lib/systemtag/systemtagsobjecttypecollection.php +++ b/apps/dav/lib/systemtag/systemtagsobjecttypecollection.php @@ -25,12 +25,14 @@ namespace OCA\DAV\SystemTag; use Sabre\DAV\Exception\Forbidden; use Sabre\DAV\Exception\MethodNotAllowed; +use Sabre\DAV\Exception\NotFound; use Sabre\DAV\ICollection; use OCP\SystemTag\ISystemTagManager; use OCP\SystemTag\ISystemTagObjectMapper; use OCP\IUserSession; use OCP\IGroupManager; +use OCP\Files\IRootFolder; /** * Collection containing object ids by object type @@ -63,6 +65,11 @@ class SystemTagsObjectTypeCollection implements ICollection { private $userSession; /** + * @var IRootFolder + **/ + protected $fileRoot; + + /** * Constructor * * @param string $objectType object type @@ -70,19 +77,22 @@ class SystemTagsObjectTypeCollection implements ICollection { * @param ISystemTagObjectMapper $tagMapper * @param IUserSession $userSession * @param IGroupManager $groupManager + * @param IRootFolder $fileRoot */ public function __construct( $objectType, ISystemTagManager $tagManager, ISystemTagObjectMapper $tagMapper, IUserSession $userSession, - IGroupManager $groupManager + IGroupManager $groupManager, + IRootFolder $fileRoot ) { $this->tagManager = $tagManager; $this->tagMapper = $tagMapper; $this->objectType = $objectType; $this->userSession = $userSession; $this->groupManager = $groupManager; + $this->fileRoot = $fileRoot; } /** @@ -116,6 +126,10 @@ class SystemTagsObjectTypeCollection implements ICollection { * @param string $objectId */ function getChild($objectId) { + // make sure the object exists and is reachable + if(!$this->childExists($objectId)) { + throw new NotFound('Entity does not exist or is not available'); + } return new SystemTagsObjectMappingCollection( $objectId, $this->objectType, @@ -134,6 +148,13 @@ class SystemTagsObjectTypeCollection implements ICollection { * @param string $name */ function childExists($name) { + // TODO: make this more abstract + if ($this->objectType === 'files') { + // make sure the object is reachable for the current user + $userId = $this->userSession->getUser()->getUID(); + $nodes = $this->fileRoot->getUserFolder($userId)->getById(intval($name)); + return !empty($nodes); + } return true; } diff --git a/apps/dav/lib/systemtag/systemtagsrelationscollection.php b/apps/dav/lib/systemtag/systemtagsrelationscollection.php index 223aaac93d6..6af4edfc1ab 100644 --- a/apps/dav/lib/systemtag/systemtagsrelationscollection.php +++ b/apps/dav/lib/systemtag/systemtagsrelationscollection.php @@ -28,6 +28,7 @@ use Sabre\DAV\Exception\Forbidden; use Sabre\DAV\SimpleCollection; use OCP\IUserSession; use OCP\IGroupManager; +use OCP\Files\IRootFolder; class SystemTagsRelationsCollection extends SimpleCollection { @@ -38,12 +39,14 @@ class SystemTagsRelationsCollection extends SimpleCollection { * @param ISystemTagObjectMapper $tagMapper * @param IUserSession $userSession * @param IGroupManager $groupManager + * @param IRootFolder $fileRoot */ public function __construct( ISystemTagManager $tagManager, ISystemTagObjectMapper $tagMapper, IUserSession $userSession, - IGroupManager $groupManager + IGroupManager $groupManager, + IRootFolder $fileRoot ) { $children = [ new SystemTagsObjectTypeCollection( @@ -51,7 +54,8 @@ class SystemTagsRelationsCollection extends SimpleCollection { $tagManager, $tagMapper, $userSession, - $groupManager + $groupManager, + $fileRoot ), ]; diff --git a/apps/dav/tests/unit/systemtag/systemtagplugin.php b/apps/dav/tests/unit/systemtag/systemtagplugin.php index 873dd7088a8..b026451701f 100644 --- a/apps/dav/tests/unit/systemtag/systemtagplugin.php +++ b/apps/dav/tests/unit/systemtag/systemtagplugin.php @@ -272,6 +272,40 @@ class SystemTagPlugin extends \Test\TestCase { } /** + * @expectedException \Sabre\DAV\Exception\NotFound + */ + public function testCreateTagToUnknownNode() { + $systemTag = new SystemTag(1, 'Test', true, false); + + $node = $this->getMockBuilder('\OCA\DAV\SystemTag\SystemTagsObjectMappingCollection') + ->disableOriginalConstructor() + ->getMock(); + + $this->tree->expects($this->any()) + ->method('getNodeForPath') + ->will($this->throwException(new \Sabre\DAV\Exception\NotFound())); + + $this->tagManager->expects($this->never()) + ->method('createTag'); + + $node->expects($this->never()) + ->method('createFile'); + + $request = $this->getMockBuilder('Sabre\HTTP\RequestInterface') + ->disableOriginalConstructor() + ->getMock(); + $response = $this->getMockBuilder('Sabre\HTTP\ResponseInterface') + ->disableOriginalConstructor() + ->getMock(); + + $request->expects($this->once()) + ->method('getPath') + ->will($this->returnValue('/systemtags-relations/files/12')); + + $this->plugin->httpPost($request, $response); + } + + /** * @dataProvider nodeClassProvider * @expectedException Sabre\DAV\Exception\Conflict */ diff --git a/apps/dav/tests/unit/systemtag/systemtagsobjecttypecollection.php b/apps/dav/tests/unit/systemtag/systemtagsobjecttypecollection.php index e6d94803cc0..1d4264f94f9 100644 --- a/apps/dav/tests/unit/systemtag/systemtagsobjecttypecollection.php +++ b/apps/dav/tests/unit/systemtag/systemtagsobjecttypecollection.php @@ -38,6 +38,11 @@ class SystemTagsObjectTypeCollection extends \Test\TestCase { */ private $tagMapper; + /** + * @var \OCP\Files\Folder + */ + private $userFolder; + protected function setUp() { parent::setUp(); @@ -58,12 +63,21 @@ class SystemTagsObjectTypeCollection extends \Test\TestCase { ->with('testuser') ->will($this->returnValue(true)); + $this->userFolder = $this->getMock('\OCP\Files\Folder'); + + $fileRoot = $this->getMock('\OCP\Files\IRootFolder'); + $fileRoot->expects($this->any()) + ->method('getUserfolder') + ->with('testuser') + ->will($this->returnValue($this->userFolder)); + $this->node = new \OCA\DAV\SystemTag\SystemTagsObjectTypeCollection( 'files', $this->tagManager, $this->tagMapper, $userSession, - $groupManager + $groupManager, + $fileRoot ); } @@ -82,10 +96,25 @@ class SystemTagsObjectTypeCollection extends \Test\TestCase { } public function testGetChild() { - $childNode = $this->node->getChild('files'); + $this->userFolder->expects($this->once()) + ->method('getById') + ->with('555') + ->will($this->returnValue([true])); + $childNode = $this->node->getChild('555'); $this->assertInstanceOf('\OCA\DAV\SystemTag\SystemTagsObjectMappingCollection', $childNode); - $this->assertEquals('files', $childNode->getName()); + $this->assertEquals('555', $childNode->getName()); + } + + /** + * @expectedException Sabre\DAV\Exception\NotFound + */ + public function testGetChildWithoutAccess() { + $this->userFolder->expects($this->once()) + ->method('getById') + ->with('555') + ->will($this->returnValue([])); + $this->node->getChild('555'); } /** @@ -96,9 +125,21 @@ class SystemTagsObjectTypeCollection extends \Test\TestCase { } public function testChildExists() { + $this->userFolder->expects($this->once()) + ->method('getById') + ->with('123') + ->will($this->returnValue([true])); $this->assertTrue($this->node->childExists('123')); } + public function testChildExistsWithoutAccess() { + $this->userFolder->expects($this->once()) + ->method('getById') + ->with('555') + ->will($this->returnValue([])); + $this->assertFalse($this->node->childExists('555')); + } + /** * @expectedException Sabre\DAV\Exception\Forbidden */ |