nextcloud-server.git - Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server

	Commit message (Expand)	Author	Age	Files	Lines
*	Update author information	Lukas Reschke	2016-03-01	2	-0/+2
*	We should check for exceptions when trying to get the avatar	Roeland Jago Douma	2016-02-22	1	-1/+5
*	Add note if integrity check is disabled	Lukas Reschke	2016-02-12	1	-0/+4
*	Consolidate getQuota and setQuota methods in User instance	Arthur Schiwon	2016-02-09	1	-1/+1
*	Move data protection check to javascript	Vincent Chan	2016-02-01	1	-1/+0
*	Introduce IUser::setEMailAddress and add hook mechanism	Thomas Müller	2016-01-20	1	-6/+2
*	Merge pull request #21653 from owncloud/update-license-headers-2016	Thomas Müller	2016-01-13	9	-10/+11
\|\
\| *	Happy new year!	Thomas Müller	2016-01-12	9	-10/+11
* \|	Allow admins to add system wide root certificates	Robin Appelman	2016-01-12	1	-16/+55
\|/
*	Add a warning on the apps list when the version is missing	Joas Schilling	2016-01-07	1	-0/+3
*	Inject OCSClient	Lukas Reschke	2016-01-06	1	-3/+3
*	Use OCP\Util::getVersion instead of the internal private implementation	Morris Jobke	2015-12-18	1	-3/+5
*	Scrutinizer Auto-Fixes	Scrutinizer Auto-Fixer	2015-12-07	1	-1/+0
*	Only try to load avatars in the user list if there is any	Roeland Jago Douma	2015-12-04	1	-1/+13
*	User IUser::getEMailAddress() all over the place	Thomas Müller	2015-12-02	1	-1/+5
*	Remove OC_Config from app management template	Morris Jobke	2015-12-02	1	-0/+1
*	Add code integrity check	Lukas Reschke	2015-12-01	1	-2/+79
*	Moved changedisplayname to usercontroller	Roeland Jago Douma	2015-11-20	1	-0/+54
*	fix subadmin user count for empty groups	Morris Jobke	2015-11-04	1	-0/+1
*	Fix everyone count for subadmins	Vincent Petry	2015-10-29	1	-0/+36
*	Drop OC_SubAdmin and replace usages	Lukas Reschke	2015-10-29	2	-19/+45
*	Merge pull request #19813 from owncloud/stay-on-apps-category-refresh	Thomas Müller	2015-10-26	1	-6/+41
\|\
\| *	Use speaking ids	Joas Schilling	2015-10-26	1	-7/+40
\| *	Stay on the same category when refreshing the page on the apps list	Joas Schilling	2015-10-26	1	-1/+3
* \|	Update license headers	Lukas Reschke	2015-10-26	3	-2/+3
\|/
*	Fix unit test	Roeland Jago Douma	2015-10-21	1	-1/+1
*	Fix memcached/memcache module check	Robin McCorkell	2015-10-20	1	-2/+2
*	Use injected request	Vincent Petry	2015-10-09	1	-1/+1
*	fix IE8 user agent detection	Morris Jobke	2015-10-09	1	-1/+1
*	Fix uploading avatar and root certs in IE8	Vincent Petry	2015-10-09	1	-5/+14
*	Don't perform checks for outdated TLS libs when no internet connection	Lukas Reschke	2015-10-08	1	-2/+20
*	Fix comment syntax	Lukas Reschke	2015-10-08	1	-2/+2
*	Fix importing of certificates	Lukas Reschke	2015-10-06	1	-2/+3
*	Merge pull request #19597 from owncloud/update-license-headers	Thomas Müller	2015-10-06	3	-0/+5
\|\
\| *	deduplicate @xenopathic	Morris Jobke	2015-10-06	1	-1/+1
\| *	update licence headers via script	Morris Jobke	2015-10-05	3	-0/+5
* \|	[admin] check for correct PHP memcached module	Morris Jobke	2015-10-06	1	-0/+18
\|/
*	Update isCertificateImportAllowed() check to new API	Robin McCorkell	2015-09-10	1	-2/+2
*	use config.php value instead of version string	Morris Jobke	2015-09-02	1	-1/+1
*	Add setup check for reverse proxy header configuration	Robin McCorkell	2015-08-10	1	-1/+20
*	Merge pull request #17919 from rullzer/php_supported_check	Thomas Müller	2015-08-10	1	-0/+18
\|\
\| *	Display warning in security & setup warnings if php version is EOL	Roeland Jago Douma	2015-07-29	1	-0/+18
* \|	also block certificate management in the back-end if external storages are di...	Bjoern Schiessle	2015-08-04	1	-1/+33
\|/
*	Merge pull request #17912 from owncloud/detect-old-openssl-versions	Robin McCorkell	2015-07-28	1	-1/+69
\|\
\| *	Detect old NSS and OpenSSL versions	Lukas Reschke	2015-07-28	1	-1/+69
* \|	Add unit tests	Lukas Reschke	2015-07-28	1	-13/+25
* \|	set logger in constructor	Bjoern Schiessle	2015-07-28	1	-0/+1
\|/
*	don't move keys if the key where already moved in a previous migration run	Bjoern Schiessle	2015-07-17	1	-2/+8
*	Merge pull request #17500 from owncloud/encryption_migration_improvements	Thomas Müller	2015-07-16	1	-0/+2
\|\
\| *	only cleanUp the remaining keys if the migration really finished succesfully	Bjoern Schiessle	2015-07-08	1	-0/+2

<?php /** * @copyright Copyright (c) 2016, ownCloud, Inc. * * @author Arthur Schiwon <blizzz@arthur-schiwon.de> * @author Bjoern Schiessle <bjoern@schiessle.org> * @author Björn Schießle <bjoern@schiessle.org> * @author Daniel Calviño Sánchez <danxuliu@gmail.com> * @author Jan-Christoph Borchardt <hey@jancborchardt.net> * @author Joas Schilling <coding@schilljs.com> * @author Julius Härtl <jus@bitgrid.net> * @author Lukas Reschke <lukas@statuscode.ch> * @author Maxence Lange <maxence@artificial-owl.com> * @author Maxence Lange <maxence@nextcloud.com> * @author Morris Jobke <hey@morrisjobke.de> * @author Pauli Järvinen <pauli.jarvinen@gmail.com> * @author Robin Appelman <robin@icewind.nl> * @author Roeland Jago Douma <roeland@famdouma.nl> * @author Stephan Müller <mail@stephanmueller.eu> * @author Vincent Petry <pvince81@owncloud.com> * * @license AGPL-3.0 * * This code is free software: you can redistribute it and/or modify * it under the terms of the GNU Affero General Public License, version 3, * as published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU Affero General Public License for more details. * * You should have received a copy of the GNU Affero General Public License, version 3, * along with this program. If not, see <http://www.gnu.org/licenses/> * */ namespace OC\Share20; use OC\Cache\CappedMemoryCache; use OC\Files\Mount\MoveableMount; use OC\HintException; use OC\Share20\Exception\ProviderException; use OCP\Files\File; use OCP\Files\Folder; use OCP\Files\IRootFolder; use OCP\Files\Mount\IMountManager; use OCP\Files\Node; use OCP\IConfig; use OCP\IGroupManager; use OCP\IL10N; use OCP\ILogger; use OCP\IURLGenerator; use OCP\IUser; use OCP\IUserManager; use OCP\L10N\IFactory; use OCP\Mail\IMailer; use OCP\Security\IHasher; use OCP\Security\ISecureRandom; use OCP\Share\Exceptions\GenericShareException; use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; use OCP\Share\IProviderFactory; use Symfony\Component\EventDispatcher\EventDispatcher; use Symfony\Component\EventDispatcher\GenericEvent; use OCP\Share\IShareProvider; /** * This class is the communication hub for all sharing related operations. */ class Manager implements IManager { /** @var IProviderFactory */ private $factory; /** @var ILogger */ private $logger; /** @var IConfig */ private $config; /** @var ISecureRandom */ private $secureRandom; /** @var IHasher */ private $hasher; /** @var IMountManager */ private $mountManager; /** @var IGroupManager */ private $groupManager; /** @var IL10N */ private $l; /** @var IFactory */ private $l10nFactory; /** @var IUserManager */ private $userManager; /** @var IRootFolder */ private $rootFolder; /** @var CappedMemoryCache */ private $sharingDisabledForUsersCache; /** @var EventDispatcher */ private $eventDispatcher; /** @var LegacyHooks */ private $legacyHooks; /** @var IMailer */ private $mailer; /** @var IURLGenerator */ private $urlGenerator; /** @var \OC_Defaults */ private $defaults; /** * Manager constructor. * * @param ILogger $logger * @param IConfig $config * @param ISecureRandom $secureRandom * @param IHasher $hasher * @param IMountManager $mountManager * @param IGroupManager $groupManager * @param IL10N $l * @param IFactory $l10nFactory * @param IProviderFactory $factory * @param IUserManager $userManager * @param IRootFolder $rootFolder * @param EventDispatcher $eventDispatcher * @param IMailer $mailer * @param IURLGenerator $urlGenerator * @param \OC_Defaults $defaults */ public function __construct( ILogger $logger, IConfig $config, ISecureRandom $secureRandom, IHasher $hasher, IMountManager $mountManager, IGroupManager $groupManager, IL10N $l, IFactory $l10nFactory, IProviderFactory $factory, IUserManager $userManager, IRootFolder $rootFolder, EventDispatcher $eventDispatcher, IMailer $mailer, IURLGenerator $urlGenerator, \OC_Defaults $defaults ) { $this->logger = $logger; $this->config = $config; $this->secureRandom = $secureRandom; $this->hasher = $hasher; $this->mountManager = $mountManager; $this->groupManager = $groupManager; $this->l = $l; $this->l10nFactory = $l10nFactory; $this->factory = $factory; $this->userManager = $userManager; $this->rootFolder = $rootFolder; $this->eventDispatcher = $eventDispatcher; $this->sharingDisabledForUsersCache = new CappedMemoryCache(); $this->legacyHooks = new LegacyHooks($this->eventDispatcher); $this->mailer = $mailer; $this->urlGenerator = $urlGenerator; $this->defaults = $defaults; } /** * Convert from a full share id to a tuple (providerId, shareId) * * @param string $id * @return string[] */ private function splitFullId($id) { return explode(':', $id, 2); } /** * Verify if a password meets all requirements * * @param string $password * @throws \Exception */ protected function verifyPassword($password) { if ($password === null) { // No password is set, check if this is allowed. if ($this->shareApiLinkEnforcePassword()) { throw new \InvalidArgumentException('Passwords are enforced for link shares'); } return; } // Let others verify the password try { $event = new GenericEvent($password); $this->eventDispatcher->dispatch('OCP\PasswordPolicy::validate', $event); } catch (HintException $e) { throw new \Exception($e->getHint()); } } /** * Check for generic requirements before creating a share * * @param \OCP\Share\IShare $share * @throws \InvalidArgumentException * @throws GenericShareException * * @suppress PhanUndeclaredClassMethod */ protected function generalCreateChecks(\OCP\Share\IShare $share) { if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) { // We expect a valid user as sharedWith for user shares if (!$this->userManager->userExists($share->getSharedWith())) { throw new \InvalidArgumentException('SharedWith is not a valid user'); } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { // We expect a valid group as sharedWith for group shares if (!$this->groupManager->groupExists($share->getSharedWith())) { throw new \InvalidArgumentException('SharedWith is not a valid group'); } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) { if ($share->getSharedWith() !== null) { throw new \InvalidArgumentException('SharedWith should be empty'); } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_REMOTE) { if ($share->getSharedWith() === null) { throw new \InvalidArgumentException('SharedWith should not be empty'); } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) { if ($share->getSharedWith() === null) { throw new \InvalidArgumentException('SharedWith should not be empty'); } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_CIRCLE) { $circle = \OCA\Circles\Api\v1\Circles::detailsCircle($share->getSharedWith()); if ($circle === null) { throw new \InvalidArgumentException('SharedWith is not a valid circle'); } } else { // We can't handle other types yet throw new \InvalidArgumentException('unknown share type'); } // Verify the initiator of the share is set if ($share->getSharedBy() === null) { throw new \InvalidArgumentException('SharedBy should be set'); } // Cannot share with yourself if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER && $share->getSharedWith() === $share->getSharedBy()) { throw new \InvalidArgumentException('Can’t share with yourself'); } // The path should be set if ($share->getNode() === null) { throw new \InvalidArgumentException('Path should be set'); } // And it should be a file or a folder if (!($share->getNode() instanceof \OCP\Files\File) && !($share->getNode() instanceof \OCP\Files\Folder)) { throw new \InvalidArgumentException('Path should be either a file or a folder'); } // And you can't share your rootfolder if ($this->userManager->userExists($share->getSharedBy())) { $sharedPath = $this->rootFolder->getUserFolder($share->getSharedBy())->getPath(); } else { $sharedPath = $this->rootFolder->getUserFolder($share->getShareOwner())->getPath(); } if ($sharedPath === $share->getNode()->getPath()) { throw new \InvalidArgumentException('You can’t share your root folder'); } // Check if we actually have share permissions if (!$share->getNode()->isShareable()) { $message_t = $this->l->t('You are not allowed to share %s', [$share->getNode()->getPath()]); throw new GenericShareException($message_t, $message_t, 404); } // Permissions should be set if ($share->getPermissions() === null) { throw new \InvalidArgumentException('A share requires permissions'); } /* * Quick fix for #23536 * Non moveable mount points do not have update and delete permissions * while we 'most likely' do have that on the storage. */ $permissions = $share->getNode()->getPermissions(); $mount = $share->getNode()->getMountPoint(); if (!($mount instanceof MoveableMount)) { $permissions |= \OCP\Constants::PERMISSION_DELETE | \OCP\Constants::PERMISSION_UPDATE; } // Check that we do not share with more permissions than we have if ($share->getPermissions() & ~$permissions) { $message_t = $this->l->t('Can’t increase permissions of %s', [$share->getNode()->getPath()]); throw new GenericShareException($message_t, $message_t, 404); } // Check that read permissions are always set // Link shares are allowed to have no read permissions to allow upload to hidden folders $noReadPermissionRequired = $share->getShareType() === \OCP\Share::SHARE_TYPE_LINK || $share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL; if (!$noReadPermissionRequired && ($share->getPermissions() & \OCP\Constants::PERMISSION_READ) === 0) { throw new \InvalidArgumentException('Shares need at least read permissions'); } if ($share->getNode() instanceof \OCP\Files\File) { if ($share->getPermissions() & \OCP\Constants::PERMISSION_DELETE) { $message_t = $this->l->t('Files can’t be shared with delete permissions'); throw new GenericShareException($message_t); } if ($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE) { $message_t = $this->l->t('Files can’t be shared with create permissions'); throw new GenericShareException($message_t); } } } /** * Validate if the expiration date fits the system settings * * @param \OCP\Share\IShare $share The share to validate the expiration date of * @return \OCP\Share\IShare The modified share object * @throws GenericShareException * @throws \InvalidArgumentException * @throws \Exception */ protected function validateExpirationDate(\OCP\Share\IShare $share) { $expirationDate = $share->getExpirationDate(); if ($expirationDate !== null) { //Make sure the expiration date is a date $expirationDate->setTime(0, 0, 0); $date = new \DateTime(); $date->setTime(0, 0, 0); if ($date >= $expirationDate) { $message = $this->l->t('Expiration date is in the past'); throw new GenericShareException($message, $message, 404); } } // If expiredate is empty set a default one if there is a default $fullId = null; try { $fullId = $share->getFullId(); } catch (\UnexpectedValueException $e) { // This is a new share } if ($fullId === null && $expirationDate === null && $this->shareApiLinkDefaultExpireDate()) { $expirationDate = new \DateTime(); $expirationDate->setTime(0,0,0); $expirationDate->add(new \DateInterval('P'.$this->shareApiLinkDefaultExpireDays().'D')); } // If we enforce the expiration date check that is does not exceed if ($this->shareApiLinkDefaultExpireDateEnforced()) { if ($expirationDate === null) { throw new \InvalidArgumentException('Expiration date is enforced'); } $date = new \DateTime(); $date->setTime(0, 0, 0); $date->add(new \DateInterval('P' . $this->shareApiLinkDefaultExpireDays() . 'D')); if ($date < $expirationDate) { $message = $this->l->t('Can’t set expiration date more than %s days in the future', [$this->shareApiLinkDefaultExpireDays()]); throw new GenericShareException($message, $message, 404); } } $accepted = true; $message = ''; \OCP\Util::emitHook('\OC\Share', 'verifyExpirationDate', [ 'expirationDate' => &$expirationDate, 'accepted' => &$accepted, 'message' => &$message, 'passwordSet' => $share->getPassword() !== null, ]); if (!$accepted) { throw new \Exception($message); } $share->setExpirationDate($expirationDate); return $share; } /** * Check for pre share requirements for user shares * * @param \OCP\Share\IShare $share * @throws \Exception */ protected function userCreateChecks(\OCP\Share\IShare $share) { // Check if we can share with group members only if ($this->shareWithGroupMembersOnly()) { $sharedBy = $this->userManager->get($share->getSharedBy()); $sharedWith = $this->userManager->get($share->getSharedWith()); // Verify we can share with this user $groups = array_intersect( $this->groupManager->getUserGroupIds($sharedBy), $this->groupManager->getUserGroupIds($sharedWith) ); if (empty($groups)) { throw new \Exception('Sharing is only allowed with group members'); } } /* * TODO: Could be costly, fix * * Also this is not what we want in the future.. then we want to squash identical shares. */ $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_USER); $existingShares = $provider->getSharesByPath($share->getNode()); foreach($existingShares as $existingShare) { // Ignore if it is the same share try { if ($existingShare->getFullId() === $share->getFullId()) { continue; } } catch (\UnexpectedValueException $e) { //Shares are not identical } // Identical share already existst if ($existingShare->getSharedWith() === $share->getSharedWith()) { throw new \Exception('Path is already shared with this user'); } // The share is already shared with this user via a group share if ($existingShare->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { $group = $this->groupManager->get($existingShare->getSharedWith()); if (!is_null($group)) { $user = $this->userManager->get($share->getSharedWith()); if ($group->inGroup($user) && $existingShare->getShareOwner() !== $share->getShareOwner()) { throw new \Exception('Path is already shared with this user'); } } } } } /** * Check for pre share requirements for group shares * * @param \OCP\Share\IShare $share * @throws \Exception */ protected function groupCreateChecks(\OCP\Share\IShare $share) { // Verify group shares are allowed if (!$this->allowGroupSharing()) { throw new \Exception('Group sharing is now allowed'); } // Verify if the user can share with this group if ($this->shareWithGroupMembersOnly()) { $sharedBy = $this->userManager->get($share->getSharedBy()); $sharedWith = $this->groupManager->get($share->getSharedWith()); if (is_null($sharedWith) || !$sharedWith->inGroup($sharedBy)) { throw new \Exception('Sharing is only allowed within your own groups'); } } /* * TODO: Could be costly, fix * * Also this is not what we want in the future.. then we want to squash identical shares. */ $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_GROUP); $existingShares = $provider->getSharesByPath($share->getNode()); foreach($existingShares as $existingShare) { try { if ($existingShare->getFullId() === $share->getFullId()) { continue; } } catch (\UnexpectedValueException $e) { //It is a new share so just continue } if ($existingShare->getSharedWith() === $share->getSharedWith()) { throw new \Exception('Path is already shared with this group'); } } } /** * Check for pre share requirements for link shares * * @param \OCP\Share\IShare $share * @throws \Exception */ protected function linkCreateChecks(\OCP\Share\IShare $share) { // Are link shares allowed? if (!$this->shareApiAllowLinks()) { throw new \Exception('Link sharing is not allowed'); } // Link shares by definition can't have share permissions if ($share->getPermissions() & \OCP\Constants::PERMISSION_SHARE) { throw new \InvalidArgumentException('Link shares can’t have reshare permissions'); } // Check if public upload is allowed if (!$this->shareApiLinkAllowPublicUpload() && ($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_DELETE))) { throw new \InvalidArgumentException('Public upload is not allowed'); } } /** * To make sure we don't get invisible link shares we set the parent * of a link if it is a reshare. This is a quick word around * until we can properly display multiple link shares in the UI * * See: https://github.com/owncloud/core/issues/22295 * * FIXME: Remove once multiple link shares can be properly displayed * * @param \OCP\Share\IShare $share */ protected function setLinkParent(\OCP\Share\IShare $share) { // No sense in checking if the method is not there. if (method_exists($share, 'setParent')) { $storage = $share->getNode()->getStorage(); if ($storage->instanceOfStorage('\OCA\Files_Sharing\ISharedStorage')) { /** @var \OCA\Files_Sharing\SharedStorage $storage */ $share->setParent($storage->getShareId()); } }; } /** * @param File|Folder $path */ protected function pathCreateChecks($path) { // Make sure that we do not share a path that contains a shared mountpoint if ($path instanceof \OCP\Files\Folder) { $mounts = $this->mountManager->findIn($path->getPath()); foreach($mounts as $mount) { if ($mount->getStorage()->instanceOfStorage('\OCA\Files_Sharing\ISharedStorage')) { throw new \InvalidArgumentException('Path contains files shared with you'); } } } } /** * Check if the user that is sharing can actually share * * @param \OCP\Share\IShare $share * @throws \Exception */ protected function canShare(\OCP\Share\IShare $share) { if (!$this->shareApiEnabled()) { throw new \Exception('Sharing is disabled'); } if ($this->sharingDisabledForUser($share->getSharedBy())) { throw new \Exception('Sharing is disabled for you'); } } /** * Share a path * * @param \OCP\Share\IShare $share * @return Share The share object * @throws \Exception * * TODO: handle link share permissions or check them */ public function createShare(\OCP\Share\IShare $share) { $this->canShare($share); $this->generalCreateChecks($share); // Verify if there are any issues with the path $this->pathCreateChecks($share->getNode()); /* * On creation of a share the owner is always the owner of the path * Except for mounted federated shares. */ $storage = $share->getNode()->getStorage(); if ($storage->instanceOfStorage('OCA\Files_Sharing\External\Storage')) { $parent = $share->getNode()->getParent(); while($parent->getStorage()->instanceOfStorage('OCA\Files_Sharing\External\Storage')) { $parent = $parent->getParent(); } $share->setShareOwner($parent->getOwner()->getUID()); } else { $share->setShareOwner($share->getNode()->getOwner()->getUID()); } //Verify share type if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) { $this->userCreateChecks($share); } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { $this->groupCreateChecks($share); } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) { $this->linkCreateChecks($share); $this->setLinkParent($share); /* * For now ignore a set token. */ $share->setToken( $this->secureRandom->generate( \OC\Share\Constants::TOKEN_LENGTH, \OCP\Security\ISecureRandom::CHAR_HUMAN_READABLE ) ); //Verify the expiration date $this->validateExpirationDate($share); //Verify the password $this->verifyPassword($share->getPassword()); // If a password is set. Hash it! if ($share->getPassword() !== null) { $share->setPassword($this->hasher->hash($share->getPassword())); } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) { $share->setToken( $this->secureRandom->generate( \OC\Share\Constants::TOKEN_LENGTH, \OCP\Security\ISecureRandom::CHAR_HUMAN_READABLE ) ); } // Cannot share with the owner if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER && $share->getSharedWith() === $share->getShareOwner()) { throw new \InvalidArgumentException('Can’t share with the share owner'); } // Generate the target $target = $this->config->getSystemValue('share_folder', '/') .'/'. $share->getNode()->getName(); $target = \OC\Files\Filesystem::normalizePath($target); $share->setTarget($target); // Pre share event $event = new GenericEvent($share); $a = $this->eventDispatcher->dispatch('OCP\Share::preShare', $event); if ($event->isPropagationStopped() && $event->hasArgument('error')) { throw new \Exception($event->getArgument('error')); } $oldShare = $share; $provider = $this->factory->getProviderForType($share->getShareType()); $share = $provider->create($share); //reuse the node we already have $share->setNode($oldShare->getNode()); // Post share event $event = new GenericEvent($share); $this->eventDispatcher->dispatch('OCP\Share::postShare', $event); if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) { $user = $this->userManager->get($share->getSharedWith()); if ($user !== null) { $emailAddress = $user->getEMailAddress(); if ($emailAddress !== null && $emailAddress !== '') { $userLang = $this->config->getUserValue($share->getSharedWith(), 'core', 'lang', null); $l = $this->l10nFactory->get('lib', $userLang); $this->sendMailNotification( $l, $share->getNode()->getName(), $this->urlGenerator->linkToRouteAbsolute('files.viewcontroller.showFile', [ 'fileid' => $share->getNode()->getId() ]), $share->getSharedBy(), $emailAddress, $share->getExpirationDate() ); $this->logger->debug('Send share notification to ' . $emailAddress . ' for share with ID ' . $share->getId(), ['app' => 'share']); } else { $this->logger->debug('Share notification not send to ' . $share->getSharedWith() . ' because email address is not set.', ['app' => 'share']); } } else { $this->logger->debug('Share notification not send to ' . $share->getSharedWith() . ' because user could not be found.', ['app' => 'share']); } } return $share; } /** * @param IL10N $l Language of the recipient * @param string $filename file/folder name * @param string $link link to the file/folder * @param string $initiator user ID of share sender * @param string $shareWith email address of share receiver * @param \DateTime|null $expiration * @throws \Exception If mail couldn't be sent */ protected function sendMailNotification(IL10N $l, $filename, $link, $initiator, $shareWith, \DateTime $expiration = null) { $initiatorUser = $this->userManager->get($initiator); $initiatorDisplayName = ($initiatorUser instanceof IUser) ? $initiatorUser->getDisplayName() : $initiator; $message = $this->mailer->createMessage(); $emailTemplate = $this->mailer->createEMailTemplate('files_sharing.RecipientNotification', [ 'filename' => $filename, 'link' => $link, 'initiator' => $initiatorDisplayName, 'expiration' => $expiration, 'shareWith' => $shareWith, ]); $emailTemplate->setSubject($l->t('%s shared »%s« with you', array($initiatorDisplayName, $filename))); $emailTemplate->addHeader(); $emailTemplate->addHeading($l->t('%s shared »%s« with you', [$initiatorDisplayName, $filename]), false); $text = $l->t('%s shared »%s« with you.', [$initiatorDisplayName, $filename]); $emailTemplate->addBodyText( $text . ' ' . $l->t('Click the button below to open it.'), $text ); $emailTemplate->addBodyButton( $l->t('Open »%s«', [$filename]), $link ); $message->setTo([$shareWith]); // The "From" contains the sharers name $instanceName = $this->defaults->getName(); $senderName = $l->t( '%s via %s', [ $initiatorDisplayName, $instanceName ] ); $message->setFrom([\OCP\Util::getDefaultEmailAddress($instanceName) => $senderName]); // The "Reply-To" is set to the sharer if an mail address is configured // also the default footer contains a "Do not reply" which needs to be adjusted. $initiatorEmail = $initiatorUser->getEMailAddress(); if($initiatorEmail !== null) { $message->setReplyTo([$initiatorEmail => $initiatorDisplayName]); $emailTemplate->addFooter($instanceName . ($this->defaults->getSlogan() !== '' ? ' - ' . $this->defaults->getSlogan() : '')); } else { $emailTemplate->addFooter(); } $message->useTemplate($emailTemplate); $this->mailer->send($message); } /** * Update a share * * @param \OCP\Share\IShare $share * @return \OCP\Share\IShare The share object * @throws \InvalidArgumentException */ public function updateShare(\OCP\Share\IShare $share) { $expirationDateUpdated = false; $this->canShare($share); try { $originalShare = $this->getShareById($share->getFullId()); } catch (\UnexpectedValueException $e) { throw new \InvalidArgumentException('Share does not have a full id'); } // We can't change the share type! if ($share->getShareType() !== $originalShare->getShareType()) { throw new \InvalidArgumentException('Can’t change share type'); } // We can only change the recipient on user shares if ($share->getSharedWith() !== $originalShare->getSharedWith() && $share->getShareType() !== \OCP\Share::SHARE_TYPE_USER) { throw new \InvalidArgumentException('Can only update recipient on user shares'); } // Cannot share with the owner if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER && $share->getSharedWith() === $share->getShareOwner()) { throw new \InvalidArgumentException('Can’t share with the share owner'); } $this->generalCreateChecks($share); if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) { $this->userCreateChecks($share); } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { $this->groupCreateChecks($share); } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) { $this->linkCreateChecks($share); $this->updateSharePasswordIfNeeded($share, $originalShare); if ($share->getExpirationDate() != $originalShare->getExpirationDate()) { //Verify the expiration date $this->validateExpirationDate($share); $expirationDateUpdated = true; } } else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) { $plainTextPassword = $share->getPassword(); if (!$this->updateSharePasswordIfNeeded($share, $originalShare)) { $plainTextPassword = null; } } $this->pathCreateChecks($share->getNode()); // Now update the share! $provider = $this->factory->getProviderForType($share->getShareType()); if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) { $share = $provider->update($share, $plainTextPassword); } else { $share = $provider->update($share); } if ($expirationDateUpdated === true) { \OC_Hook::emit('OCP\Share', 'post_set_expiration_date', [ 'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder', 'itemSource' => $share->getNode()->getId(), 'date' => $share->getExpirationDate(), 'uidOwner' => $share->getSharedBy(), ]); } if ($share->getPassword() !== $originalShare->getPassword()) { \OC_Hook::emit('OCP\Share', 'post_update_password', [ 'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder', 'itemSource' => $share->getNode()->getId(), 'uidOwner' => $share->getSharedBy(), 'token' => $share->getToken(), 'disabled' => is_null($share->getPassword()), ]); } if ($share->getPermissions() !== $originalShare->getPermissions()) { if ($this->userManager->userExists($share->getShareOwner())) { $userFolder = $this->rootFolder->getUserFolder($share->getShareOwner()); } else { $userFolder = $this->rootFolder->getUserFolder($share->getSharedBy()); } \OC_Hook::emit('OCP\Share', 'post_update_permissions', array( 'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder', 'itemSource' => $share->getNode()->getId(), 'shareType' => $share->getShareType(), 'shareWith' => $share->getSharedWith(), 'uidOwner' => $share->getSharedBy(), 'permissions' => $share->getPermissions(), 'path' => $userFolder->getRelativePath($share->getNode()->getPath()), )); } return $share; } /** * Updates the password of the given share if it is not the same as the * password of the original share. * * @param \OCP\Share\IShare $share the share to update its password. * @param \OCP\Share\IShare $originalShare the original share to compare its * password with. * @return boolean whether the password was updated or not. */ private function updateSharePasswordIfNeeded(\OCP\Share\IShare $share, \OCP\Share\IShare $originalShare) { // Password updated. if ($share->getPassword() !== $originalShare->getPassword()) { //Verify the password $this->verifyPassword($share->getPassword()); // If a password is set. Hash it! if ($share->getPassword() !== null) { $share->setPassword($this->hasher->hash($share->getPassword())); return true; } } return false; } /** * Delete all the children of this share * FIXME: remove once https://github.com/owncloud/core/pull/21660 is in * * @param \OCP\Share\IShare $share * @return \OCP\Share\IShare[] List of deleted shares */ protected function deleteChildren(\OCP\Share\IShare $share) { $deletedShares = []; $provider = $this->factory->getProviderForType($share->getShareType()); foreach ($provider->getChildren($share) as $child) { $deletedChildren = $this->deleteChildren($child); $deletedShares = array_merge($deletedShares, $deletedChildren); $provider->delete($child); $deletedShares[] = $child; } return $deletedShares; } /** * Delete a share * * @param \OCP\Share\IShare $share * @throws ShareNotFound * @throws \InvalidArgumentException */ public function deleteShare(\OCP\Share\IShare $share) { try { $share->getFullId(); } catch (\UnexpectedValueException $e) { throw new \InvalidArgumentException('Share does not have a full id'); } $event = new GenericEvent($share); $this->eventDispatcher->dispatch('OCP\Share::preUnshare', $event); // Get all children and delete them as well $deletedShares = $this->deleteChildren($share); // Do the actual delete $provider = $this->factory->getProviderForType($share->getShareType()); $provider->delete($share); // All the deleted shares caused by this delete $deletedShares[] = $share; // Emit post hook $event->setArgument('deletedShares', $deletedShares); $this->eventDispatcher->dispatch('OCP\Share::postUnshare', $event); } /** * Unshare a file as the recipient. * This can be different from a regular delete for example when one of * the users in a groups deletes that share. But the provider should * handle this. * * @param \OCP\Share\IShare $share * @param string $recipientId */ public function deleteFromSelf(\OCP\Share\IShare $share, $recipientId) { list($providerId, ) = $this->splitFullId($share->getFullId()); $provider = $this->factory->getProvider($providerId); $provider->deleteFromSelf($share, $recipientId); $event = new GenericEvent($share); $this->eventDispatcher->dispatch('OCP\Share::postUnshareFromSelf', $event); } /** * @inheritdoc */ public function moveShare(\OCP\Share\IShare $share, $recipientId) { if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) { throw new \InvalidArgumentException('Can’t change target of link share'); } if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER && $share->getSharedWith() !== $recipientId) { throw new \InvalidArgumentException('Invalid recipient'); } if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { $sharedWith = $this->groupManager->get($share->getSharedWith()); if (is_null($sharedWith)) { throw new \InvalidArgumentException('Group "' . $share->getSharedWith() . '" does not exist'); } $recipient = $this->userManager->get($recipientId); if (!$sharedWith->inGroup($recipient)) { throw new \InvalidArgumentException('Invalid recipient'); } } list($providerId, ) = $this->splitFullId($share->getFullId()); $provider = $this->factory->getProvider($providerId); $provider->move($share, $recipientId); } public function getSharesInFolder($userId, Folder $node, $reshares = false) { $providers = $this->factory->getAllProviders(); return array_reduce($providers, function($shares, IShareProvider $provider) use ($userId, $node, $reshares) { $newShares = $provider->getSharesInFolder($userId, $node, $reshares); foreach ($newShares as $fid => $data) { if (!isset($shares[$fid])) { $shares[$fid] = []; } $shares[$fid] = array_merge($shares[$fid], $data); } return $shares; }, []); } /** * @inheritdoc */ public function getSharesBy($userId, $shareType, $path = null, $reshares = false, $limit = 50, $offset = 0) { if ($path !== null && !($path instanceof \OCP\Files\File) && !($path instanceof \OCP\Files\Folder)) { throw new \InvalidArgumentException('invalid path'); } try { $provider = $this->factory->getProviderForType($shareType); } catch (ProviderException $e) { return []; } $shares = $provider->getSharesBy($userId, $shareType, $path, $reshares, $limit, $offset); /* * Work around so we don't return expired shares but still follow * proper pagination. */ $shares2 = []; while(true) { $added = 0; foreach ($shares as $share) { try { $this->checkExpireDate($share); } catch (ShareNotFound $e) { //Ignore since this basically means the share is deleted continue; } $added++; $shares2[] = $share; if (count($shares2) === $limit) { break; } } // If we did not fetch more shares than the limit then there are no more shares if (count($shares) < $limit) { break; } if (count($shares2) === $limit) { break; } // If there was no limit on the select we are done if ($limit === -1) { break; } $offset += $added; // Fetch again $limit shares $shares = $provider->getSharesBy($userId, $shareType, $path, $reshares, $limit, $offset); // No more shares means we are done if (empty($shares)) { break; } } $shares = $shares2; return $shares; } /** * @inheritdoc */ public function getSharedWith($userId, $shareType, $node = null, $limit = 50, $offset = 0) { try { $provider = $this->factory->getProviderForType($shareType); } catch (ProviderException $e) { return []; } $shares = $provider->getSharedWith($userId, $shareType, $node, $limit, $offset); // remove all shares which are already expired foreach ($shares as $key => $share) { try { $this->checkExpireDate($share); } catch (ShareNotFound $e) { unset($shares[$key]); } } return $shares; } /** * @inheritdoc */ public function getShareById($id, $recipient = null) { if ($id === null) { throw new ShareNotFound(); } list($providerId, $id) = $this->splitFullId($id); try { $provider = $this->factory->getProvider($providerId); } catch (ProviderException $e) { throw new ShareNotFound(); } $share = $provider->getShareById($id, $recipient); $this->checkExpireDate($share); return $share; } /** * Get all the shares for a given path * * @param \OCP\Files\Node $path * @param int $page * @param int $perPage * * @return Share[] */ public function getSharesByPath(\OCP\Files\Node $path, $page=0, $perPage=50) { return []; } /** * Get the share by token possible with password * * @param string $token * @return Share * * @throws ShareNotFound */ public function getShareByToken($token) { $share = null; try { if($this->shareApiAllowLinks()) { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_LINK); $share = $provider->getShareByToken($token); } } catch (ProviderException $e) { } catch (ShareNotFound $e) { } // If it is not a link share try to fetch a federated share by token if ($share === null) { try { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_REMOTE); $share = $provider->getShareByToken($token); } catch (ProviderException $e) { } catch (ShareNotFound $e) { } } // If it is not a link share try to fetch a mail share by token if ($share === null && $this->shareProviderExists(\OCP\Share::SHARE_TYPE_EMAIL)) { try { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_EMAIL); $share = $provider->getShareByToken($token); } catch (ProviderException $e) { } catch (ShareNotFound $e) { } } if ($share === null && $this->shareProviderExists(\OCP\Share::SHARE_TYPE_CIRCLE)) { try { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_CIRCLE); $share = $provider->getShareByToken($token); } catch (ProviderException $e) { } catch (ShareNotFound $e) { } } if ($share === null) { throw new ShareNotFound($this->l->t('The requested share does not exist anymore')); } $this->checkExpireDate($share); /* * Reduce the permissions for link shares if public upload is not enabled */ if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK && !$this->shareApiLinkAllowPublicUpload()) { $share->setPermissions($share->getPermissions() & ~(\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE)); } return $share; } protected function checkExpireDate($share) { if ($share->getExpirationDate() !== null && $share->getExpirationDate() <= new \DateTime()) { $this->deleteShare($share); throw new ShareNotFound($this->l->t('The requested share does not exist anymore')); } } /** * Verify the password of a public share * * @param \OCP\Share\IShare $share * @param string $password * @return bool */ public function checkPassword(\OCP\Share\IShare $share, $password) { $passwordProtected = $share->getShareType() !== \OCP\Share::SHARE_TYPE_LINK || $share->getShareType() !== \OCP\Share::SHARE_TYPE_EMAIL; if (!$passwordProtected) { //TODO maybe exception? return false; } if ($password === null || $share->getPassword() === null) { return false; } $newHash = ''; if (!$this->hasher->verify($password, $share->getPassword(), $newHash)) { return false; } if (!empty($newHash)) { $share->setPassword($newHash); $provider = $this->factory->getProviderForType($share->getShareType()); $provider->update($share); } return true; } /** * @inheritdoc */ public function userDeleted($uid) { $types = [\OCP\Share::SHARE_TYPE_USER, \OCP\Share::SHARE_TYPE_GROUP, \OCP\Share::SHARE_TYPE_LINK, \OCP\Share::SHARE_TYPE_REMOTE, \OCP\Share::SHARE_TYPE_EMAIL]; foreach ($types as $type) { try { $provider = $this->factory->getProviderForType($type); } catch (ProviderException $e) { continue; } $provider->userDeleted($uid, $type); } } /** * @inheritdoc */ public function groupDeleted($gid) { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_GROUP); $provider->groupDeleted($gid); } /** * @inheritdoc */ public function userDeletedFromGroup($uid, $gid) { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_GROUP); $provider->userDeletedFromGroup($uid, $gid); } /** * Get access list to a path. This means * all the users that can access a given path. * * Consider: * -root * |-folder1 (23) * |-folder2 (32) * |-fileA (42) * * fileA is shared with user1 and user1@server1 * folder2 is shared with group2 (user4 is a member of group2) * folder1 is shared with user2 (renamed to "folder (1)") and user2@server2 * * Then the access list to '/folder1/folder2/fileA' with $currentAccess is: * [ * users => [ * 'user1' => ['node_id' => 42, 'node_path' => '/fileA'], * 'user4' => ['node_id' => 32, 'node_path' => '/folder2'], * 'user2' => ['node_id' => 23, 'node_path' => '/folder (1)'], * ], * remote => [ * 'user1@server1' => ['node_id' => 42, 'token' => 'SeCr3t'], * 'user2@server2' => ['node_id' => 23, 'token' => 'FooBaR'], * ], * public => bool * mail => bool * ] * * The access list to '/folder1/folder2/fileA' **without** $currentAccess is: * [ * users => ['user1', 'user2', 'user4'], * remote => bool, * public => bool * mail => bool * ] * * This is required for encryption/activity * * @param \OCP\Files\Node $path * @param bool $recursive Should we check all parent folders as well * @param bool $currentAccess Ensure the recipient has access to the file (e.g. did not unshare it) * @return array */ public function getAccessList(\OCP\Files\Node $path, $recursive = true, $currentAccess = false) { $owner = $path->getOwner()->getUID(); if ($currentAccess) { $al = ['users' => [], 'remote' => [], 'public' => false]; } else { $al = ['users' => [], 'remote' => false, 'public' => false]; } if (!$this->userManager->userExists($owner)) { return $al; } //Get node for the owner $userFolder = $this->rootFolder->getUserFolder($owner); if ($path->getId() !== $userFolder->getId() && !$userFolder->isSubNode($path)) { $path = $userFolder->getById($path->getId())[0]; } $providers = $this->factory->getAllProviders(); /** @var Node[] $nodes */ $nodes = []; if ($currentAccess) { $ownerPath = $path->getPath(); $ownerPath = explode('/', $ownerPath, 4); if (count($ownerPath) < 4) { $ownerPath = ''; } else { $ownerPath = $ownerPath[3]; } $al['users'][$owner] = [ 'node_id' => $path->getId(), 'node_path' => '/' . $ownerPath, ]; } else { $al['users'][] = $owner; } // Collect all the shares while ($path->getPath() !== $userFolder->getPath()) { $nodes[] = $path; if (!$recursive) { break; } $path = $path->getParent(); } foreach ($providers as $provider) { $tmp = $provider->getAccessList($nodes, $currentAccess); foreach ($tmp as $k => $v) { if (isset($al[$k])) { if (is_array($al[$k])) { $al[$k] = array_merge($al[$k], $v); } else { $al[$k] = $al[$k] || $v; } } else { $al[$k] = $v; } } } return $al; } /** * Create a new share * @return \OCP\Share\IShare */ public function newShare() { return new \OC\Share20\Share($this->rootFolder, $this->userManager); } /** * Is the share API enabled * * @return bool */ public function shareApiEnabled() { return $this->config->getAppValue('core', 'shareapi_enabled', 'yes') === 'yes'; } /** * Is public link sharing enabled * * @return bool */ public function shareApiAllowLinks() { return $this->config->getAppValue('core', 'shareapi_allow_links', 'yes') === 'yes'; } /** * Is password on public link requires * * @return bool */ public function shareApiLinkEnforcePassword() { return $this->config->getAppValue('core', 'shareapi_enforce_links_password', 'no') === 'yes'; } /** * Is default expire date enabled * * @return bool */ public function shareApiLinkDefaultExpireDate() { return $this->config->getAppValue('core', 'shareapi_default_expire_date', 'no') === 'yes'; } /** * Is default expire date enforced *` * @return bool */ public function shareApiLinkDefaultExpireDateEnforced() { return $this->shareApiLinkDefaultExpireDate() && $this->config->getAppValue('core', 'shareapi_enforce_expire_date', 'no') === 'yes'; } /** * Number of default expire days *shareApiLinkAllowPublicUpload * @return int */ public function shareApiLinkDefaultExpireDays() { return (int)$this->config->getAppValue('core', 'shareapi_expire_after_n_days', '7'); } /** * Allow public upload on link shares * * @return bool */ public function shareApiLinkAllowPublicUpload() { return $this->config->getAppValue('core', 'shareapi_allow_public_upload', 'yes') === 'yes'; } /** * check if user can only share with group members * @return bool */ public function shareWithGroupMembersOnly() { return $this->config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes'; } /** * Check if users can share with groups * @return bool */ public function allowGroupSharing() { return $this->config->getAppValue('core', 'shareapi_allow_group_sharing', 'yes') === 'yes'; } /** * Copied from \OC_Util::isSharingDisabledForUser * * TODO: Deprecate fuction from OC_Util * * @param string $userId * @return bool */ public function sharingDisabledForUser($userId) { if ($userId === null) { return false; } if (isset($this->sharingDisabledForUsersCache[$userId])) { return $this->sharingDisabledForUsersCache[$userId]; } if ($this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes') { $groupsList = $this->config->getAppValue('core', 'shareapi_exclude_groups_list', ''); $excludedGroups = json_decode($groupsList); if (is_null($excludedGroups)) { $excludedGroups = explode(',', $groupsList); $newValue = json_encode($excludedGroups); $this->config->setAppValue('core', 'shareapi_exclude_groups_list', $newValue); } $user = $this->userManager->get($userId); $usersGroups = $this->groupManager->getUserGroupIds($user); if (!empty($usersGroups)) { $remainingGroups = array_diff($usersGroups, $excludedGroups); // if the user is only in groups which are disabled for sharing then // sharing is also disabled for the user if (empty($remainingGroups)) { $this->sharingDisabledForUsersCache[$userId] = true; return true; } } } $this->sharingDisabledForUsersCache[$userId] = false; return false; } /** * @inheritdoc */ public function outgoingServer2ServerSharesAllowed() { return $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') === 'yes'; } /** * @inheritdoc */ public function shareProviderExists($shareType) { try { $this->factory->getProviderForType($shareType); } catch (ProviderException $e) { return false; } return true; } }