Merge pull request #26727 from nextcloud/group-exclude-link-share

Add option to exclude groups from creating link shares

1 files changed, 60 insertions, 60 deletions

diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
index 983653b7661..5cb51dd0ad5 100644
--- a/lib/private/Share20/Manager.php
+++ b/lib/private/Share20/Manager.php
@@ -57,6 +57,7 @@ use OCP\ILogger;
 use OCP\IURLGenerator;
 use OCP\IUser;
 use OCP\IUserManager;
+use OCP\IUserSession;
 use OCP\L10N\IFactory;
 use OCP\Mail\IMailer;
 use OCP\Security\Events\ValidatePasswordPolicyEvent;
@@ -104,8 +105,6 @@ class Manager implements IManager {
 	private $sharingDisabledForUsersCache;
 	/** @var EventDispatcherInterface */
 	private $legacyDispatcher;
-	/** @var LegacyHooks */
-	private $legacyHooks;
 	/** @var IMailer */
 	private $mailer;
 	/** @var IURLGenerator */
@@ -114,44 +113,26 @@ class Manager implements IManager {
 	private $defaults;
 	/** @var IEventDispatcher */
 	private $dispatcher;
+	private $userSession;
 
-
-	/**
-	 * Manager constructor.
-	 *
-	 * @param ILogger $logger
-	 * @param IConfig $config
-	 * @param ISecureRandom $secureRandom
-	 * @param IHasher $hasher
-	 * @param IMountManager $mountManager
-	 * @param IGroupManager $groupManager
-	 * @param IL10N $l
-	 * @param IFactory $l10nFactory
-	 * @param IProviderFactory $factory
-	 * @param IUserManager $userManager
-	 * @param IRootFolder $rootFolder
-	 * @param EventDispatcherInterface $eventDispatcher
-	 * @param IMailer $mailer
-	 * @param IURLGenerator $urlGenerator
-	 * @param \OC_Defaults $defaults
-	 */
 	public function __construct(
-			ILogger $logger,
-			IConfig $config,
-			ISecureRandom $secureRandom,
-			IHasher $hasher,
-			IMountManager $mountManager,
-			IGroupManager $groupManager,
-			IL10N $l,
-			IFactory $l10nFactory,
-			IProviderFactory $factory,
-			IUserManager $userManager,
-			IRootFolder $rootFolder,
-			EventDispatcherInterface $legacyDispatcher,
-			IMailer $mailer,
-			IURLGenerator $urlGenerator,
-			\OC_Defaults $defaults,
-			IEventDispatcher $dispatcher
+		ILogger $logger,
+		IConfig $config,
+		ISecureRandom $secureRandom,
+		IHasher $hasher,
+		IMountManager $mountManager,
+		IGroupManager $groupManager,
+		IL10N $l,
+		IFactory $l10nFactory,
+		IProviderFactory $factory,
+		IUserManager $userManager,
+		IRootFolder $rootFolder,
+		EventDispatcherInterface $legacyDispatcher,
+		IMailer $mailer,
+		IURLGenerator $urlGenerator,
+		\OC_Defaults $defaults,
+		IEventDispatcher $dispatcher,
+		IUserSession $userSession
 	) {
 		$this->logger = $logger;
 		$this->config = $config;
@@ -166,11 +147,11 @@ class Manager implements IManager {
 		$this->rootFolder = $rootFolder;
 		$this->legacyDispatcher = $legacyDispatcher;
 		$this->sharingDisabledForUsersCache = new CappedMemoryCache();
-		$this->legacyHooks = new LegacyHooks($this->legacyDispatcher);
 		$this->mailer = $mailer;
 		$this->urlGenerator = $urlGenerator;
 		$this->defaults = $defaults;
 		$this->dispatcher = $dispatcher;
+		$this->userSession = $userSession;
 	}
 
 	/**
@@ -274,7 +255,7 @@ class Manager implements IManager {
 
 		// And it should be a file or a folder
 		if (!($share->getNode() instanceof \OCP\Files\File) &&
-				!($share->getNode() instanceof \OCP\Files\Folder)) {
+			!($share->getNode() instanceof \OCP\Files\Folder)) {
 			throw new \InvalidArgumentException('Path should be either a file or a folder');
 		}
 
@@ -422,13 +403,13 @@ class Manager implements IManager {
 		}
 		if ($fullId === null && $expirationDate === null && $defaultExpireDate) {
 			$expirationDate = new \DateTime();
-			$expirationDate->setTime(0,0,0);
+			$expirationDate->setTime(0, 0, 0);
 
 			$days = (int)$this->config->getAppValue('core', $configProp, (string)$defaultExpireDays);
 			if ($days > $defaultExpireDays) {
 				$days = $defaultExpireDays;
 			}
-			$expirationDate->add(new \DateInterval('P'.$days.'D'));
+			$expirationDate->add(new \DateInterval('P' . $days . 'D'));
 		}
 
 		// If we enforce the expiration date check that is does not exceed
@@ -498,13 +479,13 @@ class Manager implements IManager {
 
 		if ($fullId === null && $expirationDate === null && $this->shareApiLinkDefaultExpireDate()) {
 			$expirationDate = new \DateTime();
-			$expirationDate->setTime(0,0,0);
+			$expirationDate->setTime(0, 0, 0);
 
 			$days = (int)$this->config->getAppValue('core', 'link_defaultExpDays', $this->shareApiLinkDefaultExpireDays());
 			if ($days > $this->shareApiLinkDefaultExpireDays()) {
 				$days = $this->shareApiLinkDefaultExpireDays();
 			}
-			$expirationDate->add(new \DateInterval('P'.$days.'D'));
+			$expirationDate->add(new \DateInterval('P' . $days . 'D'));
 		}
 
 		// If we enforce the expiration date check that is does not exceed
@@ -553,8 +534,8 @@ class Manager implements IManager {
 			$sharedWith = $this->userManager->get($share->getSharedWith());
 			// Verify we can share with this user
 			$groups = array_intersect(
-					$this->groupManager->getUserGroupIds($sharedBy),
-					$this->groupManager->getUserGroupIds($sharedWith)
+				$this->groupManager->getUserGroupIds($sharedBy),
+				$this->groupManager->getUserGroupIds($sharedWith)
 			);
 			if (empty($groups)) {
 				$message_t = $this->l->t('Sharing is only allowed with group members');
@@ -919,7 +900,7 @@ class Manager implements IManager {
 			'%1$s via %2$s',
 			[
 				$initiatorDisplayName,
-				$instanceName
+				$instanceName,
 			]
 		);
 		$message->setFrom([\OCP\Util::getDefaultEmailAddress($instanceName) => $senderName]);
@@ -1102,7 +1083,7 @@ class Manager implements IManager {
 	 * @since 9.0.0
 	 */
 	public function acceptShare(IShare $share, string $recipientId): IShare {
-		[$providerId, ] = $this->splitFullId($share->getFullId());
+		[$providerId,] = $this->splitFullId($share->getFullId());
 		$provider = $this->factory->getProvider($providerId);
 
 		if (!method_exists($provider, 'acceptShare')) {
@@ -1127,10 +1108,10 @@ class Manager implements IManager {
 	 */
 	private function updateSharePasswordIfNeeded(IShare $share, IShare $originalShare) {
 		$passwordsAreDifferent = ($share->getPassword() !== $originalShare->getPassword()) &&
-									(($share->getPassword() !== null && $originalShare->getPassword() === null) ||
-									 ($share->getPassword() === null && $originalShare->getPassword() !== null) ||
-									 ($share->getPassword() !== null && $originalShare->getPassword() !== null &&
-										!$this->hasher->verify($share->getPassword(), $originalShare->getPassword())));
+			(($share->getPassword() !== null && $originalShare->getPassword() === null) ||
+				($share->getPassword() === null && $originalShare->getPassword() !== null) ||
+				($share->getPassword() !== null && $originalShare->getPassword() !== null &&
+					!$this->hasher->verify($share->getPassword(), $originalShare->getPassword())));
 
 		// Password updated.
 		if ($passwordsAreDifferent) {
@@ -1225,7 +1206,7 @@ class Manager implements IManager {
 	 * @param string $recipientId
 	 */
 	public function deleteFromSelf(IShare $share, $recipientId) {
-		[$providerId, ] = $this->splitFullId($share->getFullId());
+		[$providerId,] = $this->splitFullId($share->getFullId());
 		$provider = $this->factory->getProvider($providerId);
 
 		$provider->deleteFromSelf($share, $recipientId);
@@ -1234,7 +1215,7 @@ class Manager implements IManager {
 	}
 
 	public function restoreShare(IShare $share, string $recipientId): IShare {
-		[$providerId, ] = $this->splitFullId($share->getFullId());
+		[$providerId,] = $this->splitFullId($share->getFullId());
 		$provider = $this->factory->getProvider($providerId);
 
 		return $provider->restore($share, $recipientId);
@@ -1264,7 +1245,7 @@ class Manager implements IManager {
 			}
 		}
 
-		[$providerId, ] = $this->splitFullId($share->getFullId());
+		[$providerId,] = $this->splitFullId($share->getFullId());
 		$provider = $this->factory->getProvider($providerId);
 
 		return $provider->move($share, $recipientId);
@@ -1291,8 +1272,8 @@ class Manager implements IManager {
 	 */
 	public function getSharesBy($userId, $shareType, $path = null, $reshares = false, $limit = 50, $offset = 0) {
 		if ($path !== null &&
-				!($path instanceof \OCP\Files\File) &&
-				!($path instanceof \OCP\Files\Folder)) {
+			!($path instanceof \OCP\Files\File) &&
+			!($path instanceof \OCP\Files\Folder)) {
 			throw new \InvalidArgumentException('invalid path');
 		}
 
@@ -1533,8 +1514,8 @@ class Manager implements IManager {
 	 */
 	public function checkPassword(IShare $share, $password) {
 		$passwordProtected = $share->getShareType() !== IShare::TYPE_LINK
-							 || $share->getShareType() !== IShare::TYPE_EMAIL
-							 || $share->getShareType() !== IShare::TYPE_CIRCLE;
+			|| $share->getShareType() !== IShare::TYPE_EMAIL
+			|| $share->getShareType() !== IShare::TYPE_CIRCLE;
 		if (!$passwordProtected) {
 			//TODO maybe exception?
 			return false;
@@ -1756,7 +1737,20 @@ class Manager implements IManager {
 	 * @return bool
 	 */
 	public function shareApiAllowLinks() {
-		return $this->config->getAppValue('core', 'shareapi_allow_links', 'yes') === 'yes';
+		if ($this->config->getAppValue('core', 'shareapi_allow_links', 'yes') !== 'yes') {
+			return false;
+		}
+
+		$user = $this->userSession->getUser();
+		if ($user) {
+			$excludedGroups = json_decode($this->config->getAppValue('core', 'shareapi_allow_links_exclude_groups', '[]'));
+			if ($excludedGroups) {
+				$userGroups = $this->groupManager->getUserGroupIds($user);
+				return !(bool)array_intersect($excludedGroups, $userGroups);
+			}
+		}
+
+		return true;
 	}
 
 	/**
@@ -1780,6 +1774,7 @@ class Manager implements IManager {
 	/**
 	 * Is default link expire date enforced
 	 *`
+	 *
 	 * @return bool
 	 */
 	public function shareApiLinkDefaultExpireDateEnforced() {
@@ -1790,6 +1785,7 @@ class Manager implements IManager {
 
 	/**
 	 * Number of default link expire days
+	 *
 	 * @return int
 	 */
 	public function shareApiLinkDefaultExpireDays() {
@@ -1836,6 +1832,7 @@ class Manager implements IManager {
 
 	/**
 	 * Number of default expire days
+	 *
 	 * @return int
 	 */
 	public function shareApiInternalDefaultExpireDays(): int {
@@ -1844,6 +1841,7 @@ class Manager implements IManager {
 
 	/**
 	 * Number of default expire days for remote shares
+	 *
 	 * @return int
 	 */
 	public function shareApiRemoteDefaultExpireDays(): int {
@@ -1861,6 +1859,7 @@ class Manager implements IManager {
 
 	/**
 	 * check if user can only share with group members
+	 *
 	 * @return bool
 	 */
 	public function shareWithGroupMembersOnly() {
@@ -1869,6 +1868,7 @@ class Manager implements IManager {
 
 	/**
 	 * Check if users can share with groups
+	 *
 	 * @return bool
 	 */
 	public function allowGroupSharing() {