Skip to content

Commit d68f700

Browse files
juliusknorrmax-nextcloud
juliusknorr
authored and
max-nextcloud
committed
fix: Apply checks on shares in the middleware
Signed-off-by: Julius Härtl <jus@bitgrid.net> Signed-off-by: Max <max@nextcloud.com>
1 parent 3d096d8 commit d68f700

1 file changed

Lines changed: 28 additions & 0 deletions

File tree

lib/Service/AttachmentService.php

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -39,6 +39,7 @@
3939
use OCP\Files\NotPermittedException;
4040
use OCP\Files\SimpleFS\ISimpleFile;
4141
use OCP\IPreview;
42+
use OCP\ISession;
4243
use OCP\Share\Exceptions\ShareNotFound;
4344
use OCP\Share\IShare;
4445
use OCP\Util;
@@ -59,6 +60,10 @@ class AttachmentService {
5960
* @var IPreview
6061
*/
6162
private $previewManager;
63+
/**
64+
* @var ISession
65+
*/
66+
private $session;
6267
/**
6368
* @var IMimeTypeDetector
6469
*/
@@ -67,10 +72,12 @@ class AttachmentService {
6772
public function __construct(IRootFolder $rootFolder,
6873
ShareManager $shareManager,
6974
IPreview $previewManager,
75+
ISession $session,
7076
IMimeTypeDetector $mimeTypeDetector) {
7177
$this->rootFolder = $rootFolder;
7278
$this->shareManager = $shareManager;
7379
$this->previewManager = $previewManager;
80+
$this->session = $session;
7481
$this->mimeTypeDetector = $mimeTypeDetector;
7582
}
7683

@@ -545,6 +552,27 @@ private function getTextFilePublic(?int $documentId, string $shareToken): File {
545552
try {
546553
$share = $this->shareManager->getShareByToken($shareToken);
547554
if ($share->getShareType() === IShare::TYPE_LINK) {
555+
556+
// check for password if required
557+
/** @psalm-suppress RedundantConditionGivenDocblockType */
558+
if ($share->getPassword() !== null) {
559+
$shareId = $this->session->get('public_link_authenticated');
560+
if ($share->getId() !== $shareId) {
561+
throw new ShareNotFound();
562+
}
563+
}
564+
565+
// check read permission
566+
if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
567+
throw new ShareNotFound();
568+
}
569+
570+
// check download permission
571+
$attributes = $share->getAttributes();
572+
if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
573+
throw new ShareNotFound();
574+
}
575+
548576
// shared file or folder?
549577
if ($share->getNodeType() === 'file') {
550578
$textFile = $share->getNode();

0 commit comments

Comments
 (0)