diff options
| author | Julius Härtl <jus@bitgrid.net> | 2022-10-25 09:15:39 +0200 |
|---|---|---|
| committer | Julius Härtl <jus@bitgrid.net> | 2022-10-25 11:35:31 +0200 |
| commit | 8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1 (patch) | |
| tree | ada100e09304e5c327d2d772653b24603e08dca8 /core/Controller/PreviewController.php | |
| parent | e3aac7d573961933b185c87d9600580b21423a42 (diff) | |
| download | nextcloud-server-8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1.tar.gz nextcloud-server-8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1.zip | |
Check share attributes on preview endpoints
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Diffstat (limited to 'core/Controller/PreviewController.php')
| -rw-r--r-- | core/Controller/PreviewController.php | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php index 85dedd0bf68..9b3acaae013 100644 --- a/core/Controller/PreviewController.php +++ b/core/Controller/PreviewController.php @@ -27,6 +27,7 @@ declare(strict_types=1); */ namespace OC\Core\Controller; +use OCA\Files_Sharing\SharedStorage; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\DataResponse; @@ -129,6 +130,16 @@ class PreviewController extends Controller { return new DataResponse([], Http::STATUS_FORBIDDEN); } + $storage = $node->getStorage(); + if ($storage->instanceOfStorage(SharedStorage::class)) { + /** @var SharedStorage $storage */ + $share = $storage->getShare(); + $attributes = $share->getAttributes(); + if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) { + return new DataResponse([], Http::STATUS_FORBIDDEN); + } + } + try { $f = $this->preview->getPreview($node, $x, $y, !$a, $mode); $response = new FileDisplayResponse($f, Http::STATUS_OK, [ |