apply ACL groupfolders

ArtificialOwl · ArtificialOwl · commit d78ae7d160a4 · 2022-10-31T18:35:46.000-01:00
Signed-off-by: Maxence Lange &lt;maxence@artificial-owl.com&gt;
diff --git a/lib/FilesHooks.php b/lib/FilesHooks.php
@@ -27,17 +27,20 @@
 use OC\Files\Filesystem;
 use OC\Files\View;
 use OC\TagManager;
+use OC\User\NoUserException;
 use OCA\Activity\BackgroundJob\RemoteActivity;
 use OCA\Activity\Extension\Files;
 use OCA\Activity\Extension\Files_Sharing;
 use OCP\Activity\IManager;
+use OCP\AppFramework\QueryException;
 use OCP\Files\Config\ICachedMountFileInfo;
 use OCP\Files\Config\ICachedMountInfo;
 use OCP\Files\Config\IUserMountCache;
 use OCP\Files\IRootFolder;
 use OCP\Files\Mount\IMountPoint;
 use OCP\Files\Node;
 use OCP\Files\NotFoundException;
+use OCP\Files\NotPermittedException;
 use OCP\IConfig;
 use OCP\IDBConnection;
 use OCP\IGroup;
@@ -234,14 +237,7 @@ protected function addNotificationsForFileAction($filePath, $activityType, $subj
 		}
 
 		if ($this->config->getSystemValueBool('activity_use_cached_mountpoints', false)) {
-			$mountsForFile = $this->userMountCache->getMountsForFileId($fileId);
-			$affectedUserIds = array_map(function (ICachedMountInfo $mount) {
-				return $mount->getUser()->getUID();
-			}, $mountsForFile);
-			$affectedPaths = array_map(function (ICachedMountFileInfo $mount) {
-				return $this->getVisiblePath($mount->getPath());
-			}, $mountsForFile);
-			$affectedUsers = array_combine($affectedUserIds, $affectedPaths);
+			$affectedUsers = $this->getAffectedUsersFromCachedMounts($fileId);
 		} else {
 			$affectedUsers = $accessList['users'];
 		}
@@ -1219,4 +1215,157 @@ protected function commitActivityTransaction(bool $shouldFlush): void {
 		}
 		$this->connection->commit();
 	}
+
+
+	/**
+	 * @param int $fileId
+	 *
+	 * @return array
+	 */
+	private function getAffectedUsersFromCachedMounts(int $fileId): array {
+		$affectedUsers = $cachedMounts = [];
+		$mountsForFile = $this->userMountCache->getMountsForFileId($fileId);
+		foreach ($mountsForFile as $mount) {
+			$affectedUsers[$mount->getUser()->getUID()] = $this->getVisiblePath($mount->getPath());
+			$cachedMounts[] = [
+				'userId' => $mount->getUser()->getUID(),
+				'provider' => str_replace('\\\\', '\\', $mount->getMountProvider()),
+				'path' => $mount->getPath(),
+				'visiblePath' => $this->getVisiblePath($mount->getPath()),
+				'storageId' => $mount->getStorageId()
+			];
+		}
+
+		$unrelatedUsers = $this->getUnrelatedUsers($fileId, $cachedMounts);
+
+		return array_filter(
+			$affectedUsers, function ($userId) use ($unrelatedUsers) {
+			return !in_array($userId, $unrelatedUsers);
+		},
+			ARRAY_FILTER_USE_KEY
+		);
+	}
+
+
+	/**
+	 * returns an array of users that have confirmed no access to fileId
+	 *
+	 * @param int $fileId
+	 * @param array $cachedMounts
+	 *
+	 * @return string[] list of unrelated userIds
+	 */
+	private function getUnrelatedUsers(int $fileId, array $cachedMounts): array {
+		/** @var \OCA\GroupFolders\ACL\RuleManager $ruleManager */
+		try {
+			$ruleManager = \OC::$server->get(\OCA\GroupFolders\ACL\RuleManager::class);
+		} catch (\Exception $e) {
+			return []; // if we have no access to RuleManager, we cannot filter unrelated users
+		}
+
+		/** @var \OCA\GroupFolders\ACL\Rule[] $rules */
+		$rules = $knownRules = [];
+		foreach ($cachedMounts as $cachedMount) {
+			// we are only interested in filtering GroupFolders ACL
+			if ($cachedMount['provider'] !== 'OCA\GroupFolders\Mount\MountProvider') {
+				continue;
+			}
+
+			// caching rules based on storage id
+			$storageId = $cachedMount['storageId'];
+			if (!array_key_exists($storageId, $knownRules)) {
+				$knownRules[$storageId] = [];
+			}
+
+			// caching rules based on storage+path to file
+			if (!array_key_exists($cachedMount['visiblePath'], $knownRules[$storageId])) {
+				$path = $cachedMount['path'];
+
+				// we need mountPoint and folderId to generate the correct path
+				try {
+					$node = $this->rootFolder->get($path);
+					$mountPoint = $node->getMountPoint();
+					$folderId = $mountPoint->getFolderId();
+					$path = substr($path, strlen($mountPoint->getMountPoint()));
+				} catch (\Exception $e) {
+					// in case of issue during the process, we can imagine the user have no access to the file
+					$usersToCheck[] = $cachedMount['userId'];
+					continue; // we'll catch rules on next user with access to the file
+				}
+
+				// we generate a list of path from top level of group folder to the file itself to get all rules
+				$paths = ['__groupfolders/' . $folderId];
+				while ($path !== '') {
+					$paths[] = '__groupfolders/' . $folderId . '/' . $path;
+					$path = dirname($path);
+					if ($path === '.' || $path === '/') {
+						$path = '';
+					}
+				}
+
+				// we might already know the rules for some path of the list
+				$paths = array_filter($paths, function (string $path) use ($knownRules, $storageId): bool {
+					if (array_key_exists($path, $knownRules[$storageId])) {
+						return false;
+					}
+
+					return true;
+				});
+
+				// we get and store the rules for each path from the list
+				$rulesPerPath = $ruleManager->getAllRulesForPaths($storageId, $paths);
+				foreach (array_keys($rulesPerPath) as $path) {
+					$rules = array_merge($rules, $rulesPerPath[$path]);
+				}
+
+				$knownRules[$storageId][$cachedMount['visiblePath']] = true;
+			}
+		}
+
+		// using each rules that disable read permission to generate a list of users
+		// that might not have access to fileId
+		foreach ($rules as $rule) {
+			if (($rule->getMask() & 1) === 0
+				|| ($rule->getPermissions() & 1) !== 0) {
+				continue; // not interested of rules with 'mask' not including read capability (1), or if 'permission' does
+			}
+
+			$mapping = $rule->getUserMapping();
+			$id = $mapping->getId();
+
+			// if mapping is about user
+			if ($mapping->getType() === 'user' && !in_array($id, $usersToCheck)) {
+				$usersToCheck[] = $id;
+			}
+
+			// if mapping is about group
+			if ($mapping->getType() === 'group') {
+				$group = $this->groupManager->get($id);
+				if ($group === null) {
+					continue;
+				}
+				$userIds = array_map(function (IUser $user): string {
+					return $user->getUID();
+				}, $group->getUsers());
+
+				// merge current user list with members of the group
+				$usersToCheck = array_values(array_unique(array_merge($usersToCheck, $userIds)));
+			}
+		}
+
+		// now that we have a list of 'unstable' users, we confirm they have no access to the file
+		$filteredUsers = [];
+		foreach ($usersToCheck as $userId) {
+			try {
+				if (count($this->rootFolder->getUserFolder($userId)->getById($fileId)) > 0) {
+					continue; // looks like userId can access the file, checking next one
+				}
+			} catch (\Exception $e) {
+			}
+
+			$filteredUsers[] = $userId;
+		}
+
+		return $filteredUsers;
+	}
 }
