diff options
author | Louis Chemineau <louis@chmn.me> | 2024-02-13 12:39:31 +0100 |
---|---|---|
committer | Louis <louis@chmn.me> | 2024-02-21 21:49:23 +0100 |
commit | fa1a08f5eea7d7daf8f5b0935945ec4932202df6 (patch) | |
tree | 4bc7c465f43d36388dd070734ce5777b5e6a67e1 /apps/files_versions | |
parent | 0e07be4b88f48e3933461a1667cf52f3882ab4a6 (diff) | |
download | nextcloud-server-fa1a08f5eea7d7daf8f5b0935945ec4932202df6.tar.gz nextcloud-server-fa1a08f5eea7d7daf8f5b0935945ec4932202df6.zip |
Check node permissions when deleting a version
Signed-off-by: Louis Chemineau <louis@chmn.me>
Diffstat (limited to 'apps/files_versions')
-rw-r--r-- | apps/files_versions/lib/Versions/LegacyVersionsBackend.php | 30 |
1 files changed, 29 insertions, 1 deletions
diff --git a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php index 784bc0e5449..fe7f41e8155 100644 --- a/apps/files_versions/lib/Versions/LegacyVersionsBackend.php +++ b/apps/files_versions/lib/Versions/LegacyVersionsBackend.php @@ -27,6 +27,7 @@ declare(strict_types=1); namespace OCA\Files_Versions\Versions; use OC\Files\View; +use OCA\DAV\Connector\Sabre\Exception\Forbidden; use OCA\Files_Sharing\ISharedStorage; use OCA\Files_Sharing\SharedStorage; use OCA\Files_Versions\Db\VersionEntity; @@ -41,23 +42,27 @@ use OCP\Files\NotFoundException; use OCP\Files\Storage\IStorage; use OCP\IUser; use OCP\IUserManager; +use OCP\IUserSession; class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend, IDeletableVersionBackend, INeedSyncVersionBackend { private IRootFolder $rootFolder; private IUserManager $userManager; private VersionsMapper $versionsMapper; private IMimeTypeLoader $mimeTypeLoader; + private IUserSession $userSession; public function __construct( IRootFolder $rootFolder, IUserManager $userManager, VersionsMapper $versionsMapper, - IMimeTypeLoader $mimeTypeLoader + IMimeTypeLoader $mimeTypeLoader, + IUserSession $userSession, ) { $this->rootFolder = $rootFolder; $this->userManager = $userManager; $this->versionsMapper = $versionsMapper; $this->mimeTypeLoader = $mimeTypeLoader; + $this->userSession = $userSession; } public function useBackendForStorage(IStorage $storage): bool { @@ -231,6 +236,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend, } public function deleteVersion(IVersion $version): void { + if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_DELETE)) { + throw new Forbidden('You cannot delete this version because you do not have delete permissions on the source file.'); + } + Storage::deleteRevision($version->getVersionPath(), $version->getRevisionId()); $versionEntity = $this->versionsMapper->findVersionForFileId( $version->getSourceFile()->getId(), @@ -270,4 +279,23 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend, public function deleteVersionsEntity(File $file): void { $this->versionsMapper->deleteAllVersionsForFileId($file->getId()); } + + private function currentUserHasPermissions(IVersion $version, int $permissions): bool { + $sourceFile = $version->getSourceFile(); + $currentUserId = $this->userSession->getUser()?->getUID(); + + if ($currentUserId === null) { + throw new NotFoundException("No user logged in"); + } + + if ($sourceFile->getOwner()?->getUID() !== $currentUserId) { + $nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId()); + $sourceFile = array_pop($nodes); + if (!$sourceFile) { + throw new NotFoundException("Version file not accessible by current user"); + } + } + + return ($sourceFile->getPermissions() & $permissions) === $permissions; + } } |