summaryrefslogtreecommitdiffstats
path: root/apps/dav/lib
diff options
context:
space:
mode:
Diffstat (limited to 'apps/dav/lib')
-rw-r--r--apps/dav/lib/Connector/Sabre/ServerFactory.php2
-rw-r--r--apps/dav/lib/DAV/ViewOnlyPlugin.php20
-rw-r--r--apps/dav/lib/Server.php2
3 files changed, 18 insertions, 6 deletions
diff --git a/apps/dav/lib/Connector/Sabre/ServerFactory.php b/apps/dav/lib/Connector/Sabre/ServerFactory.php
index 4c57f3412e3..755d13f8371 100644
--- a/apps/dav/lib/Connector/Sabre/ServerFactory.php
+++ b/apps/dav/lib/Connector/Sabre/ServerFactory.php
@@ -161,7 +161,7 @@ class ServerFactory {
// Allow view-only plugin for webdav requests
$server->addPlugin(new ViewOnlyPlugin(
- $this->logger
+ $userFolder,
));
if ($this->userSession->isLoggedIn()) {
diff --git a/apps/dav/lib/DAV/ViewOnlyPlugin.php b/apps/dav/lib/DAV/ViewOnlyPlugin.php
index 51e3622142d..0ae472460be 100644
--- a/apps/dav/lib/DAV/ViewOnlyPlugin.php
+++ b/apps/dav/lib/DAV/ViewOnlyPlugin.php
@@ -24,8 +24,8 @@ namespace OCA\DAV\DAV;
use OCA\DAV\Connector\Sabre\Exception\Forbidden;
use OCA\DAV\Connector\Sabre\File as DavFile;
use OCA\Files_Versions\Sabre\VersionFile;
+use OCP\Files\Folder;
use OCP\Files\NotFoundException;
-use Psr\Log\LoggerInterface;
use Sabre\DAV\Server;
use Sabre\DAV\ServerPlugin;
use Sabre\HTTP\RequestInterface;
@@ -36,10 +36,12 @@ use Sabre\DAV\Exception\NotFound;
*/
class ViewOnlyPlugin extends ServerPlugin {
private ?Server $server = null;
- private LoggerInterface $logger;
+ private ?Folder $userFolder;
- public function __construct(LoggerInterface $logger) {
- $this->logger = $logger;
+ public function __construct(
+ ?Folder $userFolder,
+ ) {
+ $this->userFolder = $userFolder;
}
/**
@@ -76,6 +78,16 @@ class ViewOnlyPlugin extends ServerPlugin {
$node = $davNode->getNode();
} else if ($davNode instanceof VersionFile) {
$node = $davNode->getVersion()->getSourceFile();
+ $currentUserId = $this->userFolder?->getOwner()?->getUID();
+ // The version source file is relative to the owner storage.
+ // But we need the node from the current user perspective.
+ if ($node->getOwner()->getUID() !== $currentUserId) {
+ $nodes = $this->userFolder->getById($node->getId());
+ $node = array_pop($nodes);
+ if (!$node) {
+ throw new NotFoundException("Version file not accessible by current user");
+ }
+ }
} else {
return true;
}
diff --git a/apps/dav/lib/Server.php b/apps/dav/lib/Server.php
index 37b5eb3b70b..809b804796d 100644
--- a/apps/dav/lib/Server.php
+++ b/apps/dav/lib/Server.php
@@ -236,7 +236,7 @@ class Server {
// Allow view-only plugin for webdav requests
$this->server->addPlugin(new ViewOnlyPlugin(
- $logger
+ \OC::$server->getUserFolder(),
));
if (BrowserErrorPagePlugin::isBrowserRequest($request)) {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-23 12:11:01 +0000