diff options
Diffstat (limited to 'apps/dav/lib/DAV/ViewOnlyPlugin.php')
| -rw-r--r-- | apps/dav/lib/DAV/ViewOnlyPlugin.php | 25 |
1 files changed, 16 insertions, 9 deletions
diff --git a/apps/dav/lib/DAV/ViewOnlyPlugin.php b/apps/dav/lib/DAV/ViewOnlyPlugin.php index 80d0ddc8cf9..9b9615b8063 100644 --- a/apps/dav/lib/DAV/ViewOnlyPlugin.php +++ b/apps/dav/lib/DAV/ViewOnlyPlugin.php @@ -13,6 +13,7 @@ use OCA\DAV\Connector\Sabre\File as DavFile; use OCA\Files_Versions\Sabre\VersionFile; use OCP\Files\Folder; use OCP\Files\NotFoundException; +use OCP\Files\Storage\ISharedStorage; use Sabre\DAV\Exception\NotFound; use Sabre\DAV\Server; use Sabre\DAV\ServerPlugin; @@ -23,12 +24,10 @@ use Sabre\HTTP\RequestInterface; */ class ViewOnlyPlugin extends ServerPlugin { private ?Server $server = null; - private ?Folder $userFolder; public function __construct( - ?Folder $userFolder, + private ?Folder $userFolder, ) { - $this->userFolder = $userFolder; } /** @@ -45,6 +44,7 @@ class ViewOnlyPlugin extends ServerPlugin { //Sabre\DAV\CorePlugin::httpGet $this->server->on('method:GET', [$this, 'checkViewOnly'], 90); $this->server->on('method:COPY', [$this, 'checkViewOnly'], 90); + $this->server->on('method:MOVE', [$this, 'checkViewOnly'], 90); } /** @@ -72,7 +72,7 @@ class ViewOnlyPlugin extends ServerPlugin { $nodes = $this->userFolder->getById($node->getId()); $node = array_pop($nodes); if (!$node) { - throw new NotFoundException("Version file not accessible by current user"); + throw new NotFoundException('Version file not accessible by current user'); } } } else { @@ -81,21 +81,28 @@ class ViewOnlyPlugin extends ServerPlugin { $storage = $node->getStorage(); - if (!$storage->instanceOfStorage(\OCA\Files_Sharing\SharedStorage::class)) { + if (!$storage->instanceOfStorage(ISharedStorage::class)) { return true; } + // Extract extra permissions - /** @var \OCA\Files_Sharing\SharedStorage $storage */ + /** @var ISharedStorage $storage */ $share = $storage->getShare(); - $attributes = $share->getAttributes(); if ($attributes === null) { return true; } - // Check if read-only and on whether permission can download is both set and disabled. + // We have two options here, if download is disabled, but viewing is allowed, + // we still allow the GET request to return the file content. $canDownload = $attributes->getAttribute('permissions', 'download'); - if ($canDownload !== null && !$canDownload) { + if (!$share->canSeeContent()) { + throw new Forbidden('Access to this shared resource has been denied because its download permission is disabled.'); + } + + // If download is disabled, we disable the COPY and MOVE methods even if the + // shareapi_allow_view_without_download is set to true. + if ($request->getMethod() !== 'GET' && ($canDownload !== null && !$canDownload)) { throw new Forbidden('Access to this shared resource has been denied because its download permission is disabled.'); } } catch (NotFound $e) { |