Merge pull request #54 from nextcloud/backport-upload-only-shares

[stable9] Backport files drop feature

Author: LukasReschke

apps/dav/appinfo/v1/publicwebdav.php

@@ -59,13 +59,17 @@
 	$rootShare = \OCP\Share::resolveReShare($share);
 	$owner = $rootShare['uid_owner'];
 	$isWritable = $share['permissions'] & (\OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_CREATE);
+	$isReadable = $share['permissions'] & \OCP\Constants::PERMISSION_READ;
 	$fileId = $share['file_source'];
 
 	if (!$isWritable) {
 		\OC\Files\Filesystem::addStorageWrapper('readonly', function ($mountPoint, $storage) {
 			return new \OC\Files\Storage\Wrapper\PermissionsMask(array('storage' => $storage, 'mask' => \OCP\Constants::PERMISSION_READ + \OCP\Constants::PERMISSION_SHARE));
 		});
 	}
+	if (!$isReadable) {
+		return false;
+	}
 
 	OC_Util::setupFS($owner);
 	$ownerView = \OC\Files\Filesystem::getView();

apps/files/ajax/upload.php

@@ -43,6 +43,7 @@
 // If no token is sent along, rely on login only
 
 $errorCode = null;
+$errorFileName = null;
 
 $l = \OC::$server->getL10N('files');
 if (empty($_POST['dirToken'])) {
@@ -161,6 +162,15 @@
 			$resolution = null;
 		}
 
+		if(isset($_POST['dirToken'])) {
+			// If it is a read only share the resolution will always be autorename
+			$shareManager = \OC::$server->getShareManager();
+			$share = $shareManager->getShareByToken((string)$_POST['dirToken']);
+			if (!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+				$resolution = 'autorename';
+			}
+		}
+
 		// target directory for when uploading folders
 		$relativePath = '';
 		if(!empty($_POST['file_directory'])) {
@@ -216,6 +226,7 @@
 
 				} else {
 					$error = $l->t('Upload failed. Could not find uploaded file');
+					$errorFileName = $files['name'][$i];
 				}
 			} catch(Exception $ex) {
 				$error = $ex->getMessage();
@@ -247,7 +258,26 @@
 }
 
 if ($error === false) {
+	// Do not leak file information if it is a read-only share
+	if(isset($_POST['dirToken'])) {
+		$shareManager = \OC::$server->getShareManager();
+		$share = $shareManager->getShareByToken((string)$_POST['dirToken']);
+		if (!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+			$newResults = [];
+			foreach($result as $singleResult) {
+				$fileName = $singleResult['originalname'];
+				$newResults['filename'] = $fileName;
+				$newResults['mimetype'] = \OC::$server->getMimeTypeDetector()->detectPath($fileName);
+			}
+			$result = $newResults;
+		}
+	}
+
 	OCP\JSON::encodedPrint($result);
 } else {
-	OCP\JSON::error(array(array('data' => array_merge(array('message' => $error, 'code' => $errorCode), $storageStats))));
+	OCP\JSON::error(array(array('data' => array_merge(array(
+		'message' => $error,
+		'code' => $errorCode,
+		'filename' => $errorFileName
+	), $storageStats))));
 }

apps/files_sharing/ajax/publicpreview.php

@@ -42,6 +42,12 @@
 }
 
 $linkedItem = \OCP\Share::getShareByToken($token);
+$shareManager = \OC::$server->getShareManager();
+$share = $shareManager->getShareByToken($token);
+if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+	OCP\JSON::error(array('data' => 'Share is not readable.'));
+	exit();
+}
 if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {
 	\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
 	\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);

apps/files_sharing/ajax/shareinfo.php

@@ -62,6 +62,15 @@
 $rootInfo = \OC\Files\Filesystem::getFileInfo($path);
 $rootView = new \OC\Files\View('');
 
+
+$shareManager = \OC::$server->getShareManager();
+$share = $shareManager->getShareByToken($token);
+$sharePermissions= (int)$share->getPermissions();
+if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+	OCP\JSON::error(array('data' => 'Share is not readable.'));
+	exit();
+}
+
 /**
  * @param \OCP\Files\FileInfo $dir
  * @param \OC\Files\View $view

apps/files_sharing/api/share20ocs.php

@@ -584,6 +584,7 @@ public function updateShare($id) {
 
 			if ($newPermissions !== null &&
 				$newPermissions !== \OCP\Constants::PERMISSION_READ &&
+				$newPermissions !== (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE) &&
 				$newPermissions !== (\OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE)) {
 				return new \OC_OCS_Result(null, 400, 'can\'t change permission for public link share');
 			}

apps/files_sharing/css/public.css

@@ -158,3 +158,62 @@ thead {
 	opacity: 1;
 	cursor: pointer;
 }
+
+#public-upload .avatardiv {
+	margin: 0 auto;
+}
+
+#public-upload #emptycontent h2 {
+	margin: 10px 0 5px 0;
+}
+
+#public-upload #emptycontent h2+p {
+	margin-bottom: 30px;
+}
+
+#public-upload #emptycontent .icon-folder {
+	height: 16px;
+	width: 16px;
+	background-size: 16px;
+	display: inline-block;
+	vertical-align: text-top;
+	margin-bottom: 0;
+	margin-right: 5px;
+	opacity: 1;
+}
+
+#public-upload #emptycontent .button {
+	background-size: 16px;
+	height: 16px;
+	width: 16px;
+	background-position: 16px;
+	opacity: .7;
+	font-size: 20px;
+	margin: 20px;
+	padding: 10px 20px;
+	padding-left: 42px;
+	font-weight: normal;
+}
+
+#public-upload #emptycontent ul {
+	width: 160px;
+	margin: 5px auto;
+	text-align: left;
+}
+
+#public-upload #emptycontent li {
+	overflow: hidden;
+	text-overflow: ellipsis;
+	white-space: nowrap;
+	padding: 7px 0;
+}
+
+#public-upload #emptycontent li img {
+	vertical-align: text-bottom;
+	margin-right: 5px;
+}
+
+#public-upload li span.icon-loading-small {
+	padding-left: 18px;
+	margin-right: 7px;
+}

apps/files_sharing/js/files_drop.js

@@ -0,0 +1,109 @@
+/*
+ * Copyright (c) 2016 Lukas Reschke <lukas@statuscode.ch>
+ *
+ * This file is licensed under the Affero General Public License version 3
+ * or later.
+ *
+ * See the COPYING-README file.
+ *
+ */
+
+(function ($) {
+	var TEMPLATE =
+		'<li data-toggle="tooltip" title="{{name}}" data-name="{{name}}">' +
+		'{{#if isUploading}}' +
+		'<span class="icon-loading-small"></span> {{name}}' +
+		'{{else}}' +
+		'<img src="' + OC.imagePath('core', 'actions/error.svg') + '"/> {{name}}' +
+		'{{/if}}' +
+		'</li>';
+	var Drop = {
+		/** @type {Function} **/
+		_template: undefined,
+
+		initialize: function () {
+			$(document).bind('drop dragover', function (e) {
+				// Prevent the default browser drop action:
+				e.preventDefault();
+			});
+			var output = this.template();
+			$('#public-upload').fileupload({
+				url: OC.linkTo('files', 'ajax/upload.php'),
+				dataType: 'json',
+				dropZone: $('#public-upload'),
+				formData: {
+					dirToken: $('#sharingToken').val()
+				},
+				add: function(e, data) {
+					var errors = [];
+					if(data.files[0]['size'] && data.files[0]['size'] > $('#maxFilesizeUpload').val()) {
+						errors.push('File is too big');
+					}
+
+					$('#drop-upload-done-indicator').addClass('hidden');
+					$('#drop-upload-progress-indicator').removeClass('hidden');
+					_.each(data['files'], function(file) {
+						if(errors.length === 0) {
+							$('#public-upload ul').append(output({isUploading: true, name: escapeHTML(file.name)}));
+							$('[data-toggle="tooltip"]').tooltip();
+							data.submit();
+						} else {
+							OC.Notification.showTemporary(OC.L10N.translate('files_sharing', 'Could not upload "{filename}"', {filename: file.name}));
+							$('#public-upload ul').append(output({isUploading: false, name: escapeHTML(file.name)}));
+							$('[data-toggle="tooltip"]').tooltip();
+						}
+					});
+				},
+				success: function (response) {
+					if(response.status !== 'error') {
+						var mimeTypeUrl = OC.MimeType.getIconUrl(response['mimetype']);
+						$('#public-upload ul li[data-name="' + escapeHTML(response['filename']) + '"]').html('<img src="' + escapeHTML(mimeTypeUrl) + '"/> ' + escapeHTML(response['filename']));
+						$('[data-toggle="tooltip"]').tooltip();
+					} else {
+						var name = response[0]['data']['filename'];
+						OC.Notification.showTemporary(OC.L10N.translate('files_sharing', 'Could not upload "{filename}"', {filename: name}));
+						$('#public-upload ul li[data-name="' + escapeHTML(name) + '"]').html(output({isUploading: false, name: escapeHTML(name)}));
+						$('[data-toggle="tooltip"]').tooltip();
+					}
+
+				},
+				progressall: function (e, data) {
+					var progress = parseInt(data.loaded / data.total * 100, 10);
+					if(progress === 100) {
+						$('#drop-upload-done-indicator').removeClass('hidden');
+						$('#drop-upload-progress-indicator').addClass('hidden');
+					} else {
+						$('#drop-upload-done-indicator').addClass('hidden');
+						$('#drop-upload-progress-indicator').removeClass('hidden');
+					}
+				}
+			});
+			$('#public-upload .button.icon-upload').click(function(e) {
+				e.preventDefault();
+				$('#public-upload #emptycontent input').focus().trigger('click');
+			});
+		},
+
+		/**
+		 * @returns {Function} from Handlebars
+		 * @private
+		 */
+		template: function () {
+			if (!this._template) {
+				this._template = Handlebars.compile(TEMPLATE);
+			}
+			return this._template;
+		}
+	};
+
+	$(document).ready(function() {
+		if($('#upload-only-interface').val() === "1") {
+			$('.avatardiv').avatar($('#sharingUserId').val(), 128, true);
+		}
+
+		OCA.Files_Sharing_Drop = Drop;
+		OCA.Files_Sharing_Drop.initialize();
+	});
+
+
+})(jQuery);

apps/files_sharing/lib/controllers/sharecontroller.php

@@ -307,6 +307,7 @@ public function showShare($token, $path = '') {
 		$shareTmpl['fileSize'] = \OCP\Util::humanFileSize($share->getNode()->getSize());
 
 		// Show file list
+		$hideFileList = false;
 		if ($share->getNode() instanceof \OCP\Files\Folder) {
 			$shareTmpl['dir'] = $rootFolder->getRelativePath($path->getPath());
 
@@ -322,12 +323,14 @@ public function showShare($token, $path = '') {
 
 			$uploadLimit = Util::uploadLimit();
 			$maxUploadFilesize = min($freeSpace, $uploadLimit);
+			$hideFileList = $share->getPermissions() & \OCP\Constants::PERMISSION_READ ? false : true;
 
 			$folder = new Template('files', 'list', '');
 			$folder->assign('dir', $rootFolder->getRelativePath($path->getPath()));
 			$folder->assign('dirToken', $token);
 			$folder->assign('permissions', \OCP\Constants::PERMISSION_READ);
 			$folder->assign('isPublic', true);
+			$folder->assign('hideFileList', $hideFileList);
 			$folder->assign('publicUploadEnabled', 'no');
 			$folder->assign('uploadMaxFilesize', $maxUploadFilesize);
 			$folder->assign('uploadMaxHumanFilesize', OCP\Util::humanFileSize($maxUploadFilesize));
@@ -338,6 +341,8 @@ public function showShare($token, $path = '') {
 			$shareTmpl['folder'] = $folder->fetchPage();
 		}
 
+		$shareTmpl['hideFileList'] = $hideFileList;
+		$shareTmpl['shareOwner'] = $this->userManager->get($share->getShareOwner())->getDisplayName();
 		$shareTmpl['downloadURL'] = $this->urlGenerator->linkToRouteAbsolute('files_sharing.sharecontroller.downloadShare', array('token' => $token));
 		$shareTmpl['maxSizeAnimateGif'] = $this->config->getSystemValue('max_filesize_animated_gifs_public_sharing', 10);
 		$shareTmpl['previewEnabled'] = $this->config->getSystemValue('enable_previews', true);
@@ -360,12 +365,15 @@ public function showShare($token, $path = '') {
 	 * @param string $files
 	 * @param string $path
 	 * @param string $downloadStartSecret
-	 * @return void|RedirectResponse
+	 * @return void|OCP\AppFramework\Http\Response
 	 */
 	public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') {
 		\OC_User::setIncognitoMode(true);
 
 		$share = $this->shareManager->getShareByToken($token);
+		if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+			return new OCP\AppFramework\Http\DataResponse('Share is read-only');
+		}
 
 		// Share is password protected - check whether the user is permitted to access the share
 		if ($share->getPassword() !== null && !$this->linkShareAuth($share)) {