diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-09-09 00:21:50 +0200 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-10-28 15:52:27 +0100 |
| commit | c84c256261cc3e518594286fc334797bc99245cc (patch) | |
| tree | ddc2dd1001197c129ef134aa867b954a07076823 /core/Controller/PreviewController.php | |
| parent | 988b6002ed8ed87aa2c4cfa060e20fff91d23190 (diff) | |
| download | nextcloud-server-c84c256261cc3e518594286fc334797bc99245cc.tar.gz nextcloud-server-c84c256261cc3e518594286fc334797bc99245cc.zip | |
fix: Adjust preview for view-only sharesfix/view-only-preview
Previously there was a different behavior for public shares (link-shares) and internal shares,
if the user disabled the view permission.
The legacy UI for public shares simply "disabled" the context menu and hided all download actions.
With Nextcloud 31 all share types use the consistent permissions attributes,
which simplifies code, but caused a regression: Images can no longer been viewed.
Because on 30 and before the attribute was not set, previews for view-only files
were still allowed. Now with 31 we need a new way to allow "viewing" shares.
So this is allowing previews for those files, but only for internal usage.
This is done by settin a special header, which only works with custom requests,
and not by opening the URL directly.
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'core/Controller/PreviewController.php')
| -rw-r--r-- | core/Controller/PreviewController.php | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php index a3b826c19e6..807df4a2ebc 100644 --- a/core/Controller/PreviewController.php +++ b/core/Controller/PreviewController.php @@ -8,7 +8,6 @@ declare(strict_types=1); */ namespace OC\Core\Controller; -use OCA\Files_Sharing\SharedStorage; use OCP\AppFramework\Controller; use OCP\AppFramework\Http; use OCP\AppFramework\Http\Attribute\FrontpageRoute; @@ -21,6 +20,7 @@ use OCP\Files\File; use OCP\Files\IRootFolder; use OCP\Files\Node; use OCP\Files\NotFoundException; +use OCP\Files\Storage\ISharedStorage; use OCP\IPreview; use OCP\IRequest; use OCP\Preview\IMimeIconProvider; @@ -145,12 +145,17 @@ class PreviewController extends Controller { return new DataResponse([], Http::STATUS_NOT_FOUND); } + // Is this header is set it means our UI is doing a preview for no-download shares + // we check a header so we at least prevent people from using the link directly (obfuscation) + $isNextcloudPreview = $this->request->getHeader('X-NC-Preview') === 'true'; $storage = $node->getStorage(); - if ($storage->instanceOfStorage(SharedStorage::class)) { - /** @var SharedStorage $storage */ + if ($isNextcloudPreview === false && $storage->instanceOfStorage(ISharedStorage::class)) { + /** @var ISharedStorage $storage */ $share = $storage->getShare(); $attributes = $share->getAttributes(); - if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) { + // No "allow preview" header set, so we must check if + // the share has not explicitly disabled download permissions + if ($attributes?->getAttribute('permissions', 'download') === false) { return new DataResponse([], Http::STATUS_FORBIDDEN); } } |