From 3d608de733016c72d60669e538fc7b117c66d860 Mon Sep 17 00:00:00 2001
From: Roeland Jago Douma <roeland@famdouma.nl>
Date: Sun, 6 Sep 2020 20:54:03 +0200
Subject: [PATCH] Harden read only check on public endpoints

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>
---
 lib/Service/ApiService.php | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/lib/Service/ApiService.php b/lib/Service/ApiService.php
index 097e6a39e6a..d318c1520d5 100644
--- a/lib/Service/ApiService.php
+++ b/lib/Service/ApiService.php
@@ -32,6 +32,7 @@
 use OCA\Text\DocumentHasUnsavedChangesException;
 use OCA\Text\DocumentSaveConflictException;
 use OCA\Text\VersionMismatchException;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
@@ -63,6 +64,17 @@ public function create($fileId = null, $filePath = null, $token = null, $guestNa
 			/** @var File $file */
 			if ($token) {
 				$file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath'));
+
+				/*
+				 * Check if we have proper read access (files drop)
+				 * If not then well 404 it is.
+				 */
+				try {
+					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ);
+				} catch (NotFoundException $e) {
+					return new DataResponse([], Http::STATUS_NOT_FOUND);
+				}
+
 				try {
 					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE);
 					$readOnly = false;