detect system wide mount points correctly

3 files changed, 41 insertions, 8 deletions

diff --git a/lib/private/encryption/keys/storage.php b/lib/private/encryption/keys/storage.php
index 9d978193130..925c20c74c8 100644
--- a/lib/private/encryption/keys/storage.php
+++ b/lib/private/encryption/keys/storage.php
@@ -266,7 +266,7 @@ class Storage implements \OCP\Encryption\Keys\IStorage {
 		$filename = $this->util->stripPartialFileExtension($filename);
 
 		// in case of system wide mount points the keys are stored directly in the data directory
-		if ($this->util->isSystemWideMountPoint($filename)) {
+		if ($this->util->isSystemWideMountPoint($filename, $owner)) {
 			$keyPath = $this->keys_base_dir . $filename . '/';
 		} else {
 			$keyPath = '/' . $owner . $this->keys_base_dir . $filename . '/';
@@ -287,7 +287,7 @@ class Storage implements \OCP\Encryption\Keys\IStorage {
 
 		list($owner, $source) = $this->util->getUidAndFilename($source);
 		list(, $target) = $this->util->getUidAndFilename($target);
-		$systemWide = $this->util->isSystemWideMountPoint($target);
+		$systemWide = $this->util->isSystemWideMountPoint($target, $owner);
 
 		if ($systemWide) {
 			$sourcePath = $this->keys_base_dir . $source . '/';
@@ -315,7 +315,7 @@ class Storage implements \OCP\Encryption\Keys\IStorage {
 
 		list($owner, $source) = $this->util->getUidAndFilename($source);
 		list(, $target) = $this->util->getUidAndFilename($target);
-		$systemWide = $this->util->isSystemWideMountPoint($target);
+		$systemWide = $this->util->isSystemWideMountPoint($target, $owner);
 
 		if ($systemWide) {
 			$sourcePath = $this->keys_base_dir . $source . '/';
diff --git a/lib/private/encryption/manager.php b/lib/private/encryption/manager.php
index 45c98baede3..89abad4934a 100644
--- a/lib/private/encryption/manager.php
+++ b/lib/private/encryption/manager.php
@@ -216,7 +216,11 @@ class Manager implements IManager {
 			if (!($storage instanceof Shared)) {
 				$manager = \OC::$server->getEncryptionManager();
 				$util = new Util(
-					new View(), \OC::$server->getUserManager(), \OC::$server->getConfig());
+					new View(),
+					\OC::$server->getUserManager(),
+					\OC::$server->getGroupManager(),
+					\OC::$server->getConfig()
+				);
 				$user = \OC::$server->getUserSession()->getUser();
 				$logger = \OC::$server->getLogger();
 				$uid = $user ? $user->getUID() : null;
diff --git a/lib/private/encryption/util.php b/lib/private/encryption/util.php
index 2eed2f7ca35..98a38012dba 100644
--- a/lib/private/encryption/util.php
+++ b/lib/private/encryption/util.php
@@ -66,15 +66,20 @@ class Util {
 	/** @var array paths excluded from encryption */
 	protected $excludedPaths;
 
+	/** @var \OC\Group\Manager $manager */
+	protected $groupManager;
+
 	/**
 	 *
 	 * @param \OC\Files\View $view
 	 * @param \OC\User\Manager $userManager
+	 * @param \OC\Group\Manager $groupManager
 	 * @param IConfig $config
 	 */
 	public function __construct(
 		\OC\Files\View $view,
 		\OC\User\Manager $userManager,
+		\OC\Group\Manager $groupManager,
 		IConfig $config) {
 
 		$this->ocHeaderKeys = [
@@ -83,6 +88,7 @@ class Util {
 
 		$this->view = $view;
 		$this->userManager = $userManager;
+		$this->groupManager = $groupManager;
 		$this->config = $config;
 
 		$this->excludedPaths[] = 'files_encryption';
@@ -304,15 +310,15 @@ class Util {
 	/**
 	 * check if the file is stored on a system wide mount point
 	 * @param string $path relative to /data/user with leading '/'
+	 * @param string $uid
 	 * @return boolean
 	 */
-	public function isSystemWideMountPoint($path) {
-		$normalizedPath = ltrim($path, '/');
+	public function isSystemWideMountPoint($path, $uid) {
 		if (\OCP\App::isEnabled("files_external")) {
 			$mounts = \OC_Mount_Config::getSystemMountPoints();
 			foreach ($mounts as $mount) {
-				if ($mount['mountpoint'] == substr($normalizedPath, 0, strlen($mount['mountpoint']))) {
-					if ($this->isMountPointApplicableToUser($mount)) {
+				if (strpos($path, '/files/' . $mount['mountpoint']) === 0) {
+					if ($this->isMountPointApplicableToUser($mount, $uid)) {
 						return true;
 					}
 				}
@@ -322,6 +328,29 @@ class Util {
 	}
 
 	/**
+	 * check if mount point is applicable to user
+	 *
+	 * @param array $mount contains $mount['applicable']['users'], $mount['applicable']['groups']
+	 * @param string $uid
+	 * @return boolean
+	 */
+	private function isMountPointApplicableToUser($mount, $uid) {
+		$acceptedUids = array('all', $uid);
+		// check if mount point is applicable for the user
+		$intersection = array_intersect($acceptedUids, $mount['applicable']['users']);
+		if (!empty($intersection)) {
+			return true;
+		}
+		// check if mount point is applicable for group where the user is a member
+		foreach ($mount['applicable']['groups'] as $gid) {
+			if ($this->groupManager->isInGroup($uid, $gid)) {
+				return true;
+			}
+		}
+		return false;
+	}
+
+	/**
 	 * check if it is a path which is excluded by ownCloud from encryption
 	 *
 	 * @param string $path