summaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorVincent Petry <vincent@nextcloud.com>2022-06-13 15:50:43 +0200
committerCarl Schwan <carl@carlschwan.eu>2022-07-28 16:54:13 +0200
commit3cfb4cbf94be0f4da1fd7e84b0e37aeb623d9690 (patch)
tree1e9c7abda29b44b97915aac89164a5aecb4ce3b6 /apps
parent2ee659e54787c938e57787261442ad4037270322 (diff)
downloadnextcloud-server-3cfb4cbf94be0f4da1fd7e84b0e37aeb623d9690.tar.gz
nextcloud-server-3cfb4cbf94be0f4da1fd7e84b0e37aeb623d9690.zip
Block download when needed on direct download endpoint
Signed-off-by: Vincent Petry <vincent@nextcloud.com>
Diffstat (limited to 'apps')
-rw-r--r--apps/dav/lib/Controller/DirectController.php16
-rw-r--r--apps/files_sharing/lib/AppInfo/Application.php2
2 files changed, 17 insertions, 1 deletions
diff --git a/apps/dav/lib/Controller/DirectController.php b/apps/dav/lib/Controller/DirectController.php
index 955400998cf..260ef3bae04 100644
--- a/apps/dav/lib/Controller/DirectController.php
+++ b/apps/dav/lib/Controller/DirectController.php
@@ -31,8 +31,11 @@ use OCA\DAV\Db\DirectMapper;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\OCS\OCSBadRequestException;
use OCP\AppFramework\OCS\OCSNotFoundException;
+use OCP\AppFramework\OCS\OCSForbiddenException;
use OCP\AppFramework\OCSController;
use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\EventDispatcher\GenericEvent;
+use OCP\EventDispatcher\IEventDispatcher;
use OCP\Files\File;
use OCP\Files\IRootFolder;
use OCP\IRequest;
@@ -59,6 +62,8 @@ class DirectController extends OCSController {
/** @var IURLGenerator */
private $urlGenerator;
+ /** @var IEventDispatcher */
+ private $eventDispatcher;
public function __construct(string $appName,
IRequest $request,
@@ -67,7 +72,8 @@ class DirectController extends OCSController {
DirectMapper $mapper,
ISecureRandom $random,
ITimeFactory $timeFactory,
- IURLGenerator $urlGenerator) {
+ IURLGenerator $urlGenerator,
+ IEventDispatcher $eventDispatcher) {
parent::__construct($appName, $request);
$this->rootFolder = $rootFolder;
@@ -76,6 +82,7 @@ class DirectController extends OCSController {
$this->random = $random;
$this->timeFactory = $timeFactory;
$this->urlGenerator = $urlGenerator;
+ $this->eventDispatcher = $eventDispatcher;
}
/**
@@ -99,6 +106,13 @@ class DirectController extends OCSController {
throw new OCSBadRequestException('Direct download only works for files');
}
+ $event = new GenericEvent(null, ['path' => $userFolder->getRelativePath($file->getPath())]);
+ $this->eventDispatcher->dispatch('file.beforeGetDirect', $event);
+
+ if ($event->getArgument('run') === false) {
+ throw new OCSForbiddenException('Permission denied to download file');
+ }
+
//TODO: at some point we should use the directdownlaod function of storages
$direct = new Direct();
$direct->setUserId($this->userId);
diff --git a/apps/files_sharing/lib/AppInfo/Application.php b/apps/files_sharing/lib/AppInfo/Application.php
index 451d6b6557a..ae039520c5b 100644
--- a/apps/files_sharing/lib/AppInfo/Application.php
+++ b/apps/files_sharing/lib/AppInfo/Application.php
@@ -165,6 +165,7 @@ class Application extends App implements IBootstrap {
'file.beforeGetDirect',
function (GenericEvent $event) use ($userSession, $rootFolder) {
$pathsToCheck = [$event->getArgument('path')];
+ $event->setArgument('run', true);
// Check only for user/group shares. Don't restrict e.g. share links
if ($userSession && $userSession->isLoggedIn()) {
@@ -173,6 +174,7 @@ class Application extends App implements IBootstrap {
$rootFolder->getUserFolder($uid)
);
if (!$viewOnlyHandler->check($pathsToCheck)) {
+ $event->setArgument('run', false);
$event->setArgument('errorMessage', 'Access to this resource or one of its sub-items has been denied.');
}
}