diff --git a/lib/Controller/WorkspaceController.php b/lib/Controller/WorkspaceController.php
index 4bffc6b4955..4cde7e1f5d3 100644
--- a/lib/Controller/WorkspaceController.php
+++ b/lib/Controller/WorkspaceController.php
@@ -52,6 +52,7 @@
use OCP\AppFramework\Http;
use OCP\AppFramework\Http\DataResponse;
use OCP\AppFramework\OCSController;
+use OCP\Constants;
use OCP\DirectEditing\IManager as IDirectEditingManager;
use OCP\DirectEditing\RegisterDirectEditorEvent;
use OCP\EventDispatcher\IEventDispatcher;
@@ -61,6 +62,7 @@
use OCP\Files\NotPermittedException;
use OCP\Files\StorageNotAvailableException;
use OCP\IRequest;
+use OCP\ISession;
use OCP\IURLGenerator;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager;
@@ -92,7 +94,10 @@ class WorkspaceController extends OCSController {
/** @var LoggerInterface */
private $logger;
- public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, $userId) {
+ /** @var ISession */
+ private $session;
+
+ public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, ISession $session, $userId) {
parent::__construct($appName, $request);
$this->rootFolder = $rootFolder;
$this->shareManager = $shareManager;
@@ -102,6 +107,7 @@ public function __construct($appName, IRequest $request, IRootFolder $rootFolder
$this->urlGenerator = $urlGenerator;
$this->eventDispatcher = $eventDispatcher;
$this->logger = $logger;
+ $this->session = $session;
}
/**
@@ -155,6 +161,15 @@ public function folder(string $path = '/'): DataResponse {
public function publicFolder(string $shareToken, string $path = '/'): DataResponse {
try {
$share = $this->shareManager->getShareByToken($shareToken);
+ if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
+ throw new ShareNotFound();
+ }
+ if ($share->getPassword() !== null) {
+ $shareId = $this->session->get('public_link_authenticated');
+ if ($share->getId() !== $shareId) {
+ throw new ShareNotFound();
+ }
+ }
$folder = $share->getNode()->get($path);
if ($folder instanceof Folder) {
$file = $this->workspaceService->getFile($folder);
diff --git a/tests/psalm-baseline.xml b/tests/psalm-baseline.xml
index 2873fc4a8af..c7cbcd383f9 100644
--- a/tests/psalm-baseline.xml
+++ b/tests/psalm-baseline.xml
@@ -7,11 +7,6 @@
LoadViewer
-
-
- void
-
-
InvalidTokenException
@@ -32,32 +27,25 @@
-
+
DataResponse
DataResponse
DataResponse
-
- $e
- $e
+
$this->rootFolder
$this->rootFolder
IRootFolder
IRootFolder
ShareNotFound
- StorageNotAvailableException
+ ShareNotFound
+ ShareNotFound
StorageNotAvailableException
-
- Exception
-
open
-
- $this->logger
-