From de7c56746db863f04c898005c05abcbe67594ee7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Wed, 6 Oct 2021 09:23:44 +0200 Subject: [PATCH 1/2] Additional checks for workspace controller MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- lib/Controller/WorkspaceController.php | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/lib/Controller/WorkspaceController.php b/lib/Controller/WorkspaceController.php index 57d90cd597f..22783b9d7e1 100644 --- a/lib/Controller/WorkspaceController.php +++ b/lib/Controller/WorkspaceController.php @@ -54,6 +54,7 @@ use OCP\AppFramework\Http\DataResponse; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\OCSController; +use OCP\Constants; use OCP\DirectEditing\IManager as IDirectEditingManager; use OCP\DirectEditing\RegisterDirectEditorEvent; use OCP\EventDispatcher\IEventDispatcher; @@ -62,6 +63,7 @@ use OCP\Files\NotFoundException; use OCP\Files\StorageNotAvailableException; use OCP\IRequest; +use OCP\ISession; use OCP\IURLGenerator; use OCP\Share\Exceptions\ShareNotFound; use OCP\Share\IManager; @@ -148,6 +150,15 @@ public function folder(string $path = '/'): DataResponse { public function publicFolder(string $shareToken, string $path = '/'): DataResponse { try { $share = $this->shareManager->getShareByToken($shareToken); + if (!($share->getPermissions() & Constants::PERMISSION_READ)) { + throw new ShareNotFound(); + } + if ($share->getPassword() !== null) { + $shareId = $this->session->get('public_link_authenticated'); + if ($share->getId() !== $shareId) { + throw new ShareNotFound(); + } + } $folder = $share->getNode()->get($path); if ($folder instanceof Folder) { $file = $this->workspaceService->getFile($folder); From 11f6bb175bd3b7ffa4c249ae59f38fbdc858faba Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Tue, 2 Nov 2021 10:59:43 +0100 Subject: [PATCH 2/2] Add missing ISession Signed-off-by: Lukas Reschke --- lib/Controller/WorkspaceController.php | 15 ++++++++++++++- 1 file changed, 14 insertions(+), 1 deletion(-) diff --git a/lib/Controller/WorkspaceController.php b/lib/Controller/WorkspaceController.php index 22783b9d7e1..2a9dcba8006 100644 --- a/lib/Controller/WorkspaceController.php +++ b/lib/Controller/WorkspaceController.php @@ -91,7 +91,19 @@ class WorkspaceController extends OCSController { /** @var IEventDispatcher */ private $eventDispatcher; - public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, $userId) { + /** @var ISession */ + private $session; + + public function __construct($appName, + IRequest $request, + IRootFolder $rootFolder, + IManager $shareManager, + IDirectEditingManager $directEditingManager, + IURLGenerator $urlGenerator, + WorkspaceService $workspaceService, + IEventDispatcher $eventDispatcher, + ISession $session, + $userId) { parent::__construct($appName, $request); $this->rootFolder = $rootFolder; $this->shareManager = $shareManager; @@ -100,6 +112,7 @@ public function __construct($appName, IRequest $request, IRootFolder $rootFolder $this->directEditingManager = $directEditingManager; $this->urlGenerator = $urlGenerator; $this->eventDispatcher = $eventDispatcher; + $this->session = $session; } /**