From cbe17b719eb70a6c054871df48d631db22a985f5 Mon Sep 17 00:00:00 2001 From: Aleksandr Fedorov Date: Fri, 15 Sep 2023 12:58:56 +0300 Subject: [PATCH 1/2] added: access to editor for anonymous user --- CHANGELOG.md | 4 ++++ src/main/java/onlyoffice/OnlyOfficeEditorServlet.java | 10 +++++----- .../java/onlyoffice/OnlyOfficeFileProviderServlet.java | 4 ++-- .../java/onlyoffice/managers/auth/AuthContext.java | 1 + .../java/onlyoffice/managers/auth/AuthContextImpl.java | 2 +- .../java/onlyoffice/managers/url/UrlManagerImpl.java | 5 ++++- .../utils/attachment/AttachmentUtilImpl.java | 8 -------- 7 files changed, 17 insertions(+), 17 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4477ae5..7d8aed6f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Change Log +## +## Added +- access to editor for anonymous user + ## 4.3.1 ## Changed - vulnerability dependency update diff --git a/src/main/java/onlyoffice/OnlyOfficeEditorServlet.java b/src/main/java/onlyoffice/OnlyOfficeEditorServlet.java index 0e51d74c..e62980f8 100644 --- a/src/main/java/onlyoffice/OnlyOfficeEditorServlet.java +++ b/src/main/java/onlyoffice/OnlyOfficeEditorServlet.java @@ -76,10 +76,6 @@ public OnlyOfficeEditorServlet(final I18nResolver i18n, final UrlManager urlMana @Override public void doGet(final HttpServletRequest request, final HttpServletResponse response) throws ServletException, IOException { - if (!authContext.checkUserAuthorization(request, response)) { - return; - } - ConfluenceUser user = AuthenticatedUserThreadLocal.get(); String attachmentIdString = request.getParameter("attachmentId"); @@ -87,6 +83,10 @@ public void doGet(final HttpServletRequest request, final HttpServletResponse re String referer = request.getHeader("referer"); if (attachmentIdString == null || attachmentIdString.isEmpty()) { + if (!authContext.checkUserAuthorization(request, response)) { + return; + } + String fileName = request.getParameter("fileName"); String fileExt = request.getParameter("fileExt"); String pageId = request.getParameter("pageId"); @@ -118,7 +118,7 @@ public void doGet(final HttpServletRequest request, final HttpServletResponse re } if (!attachmentUtil.checkAccess(attachmentId, user, false)) { - response.sendRedirect(attachment.getContainer().getUrlPath()); + response.sendRedirect(authContext.getLoginUrl(request)); return; } diff --git a/src/main/java/onlyoffice/OnlyOfficeFileProviderServlet.java b/src/main/java/onlyoffice/OnlyOfficeFileProviderServlet.java index 27c0f825..f3df6e47 100644 --- a/src/main/java/onlyoffice/OnlyOfficeFileProviderServlet.java +++ b/src/main/java/onlyoffice/OnlyOfficeFileProviderServlet.java @@ -82,12 +82,12 @@ public void doGet(final HttpServletRequest request, final HttpServletResponse re throw new SecurityException("Invalid link token!"); } - String userKeyString = bodyFromToken.getString("userKey"); + String userKeyString = bodyFromToken.has("userKey") ? bodyFromToken.getString("userKey") : null; String attachmentIdString = bodyFromToken.getString("attachmentId"); UserAccessor userAccessor = (UserAccessor) ContainerManager.getComponent("userAccessor"); - UserKey userKey = new UserKey(userKeyString); + UserKey userKey = userKeyString == null || userKeyString.equals("") ? null : new UserKey(userKeyString); ConfluenceUser user = userAccessor.getUserByKey(userKey); Long attachmentId = Long.parseLong(attachmentIdString); diff --git a/src/main/java/onlyoffice/managers/auth/AuthContext.java b/src/main/java/onlyoffice/managers/auth/AuthContext.java index c596d50a..7c2b0fed 100644 --- a/src/main/java/onlyoffice/managers/auth/AuthContext.java +++ b/src/main/java/onlyoffice/managers/auth/AuthContext.java @@ -6,4 +6,5 @@ public interface AuthContext { boolean checkUserAuthorization(HttpServletRequest request, HttpServletResponse response) throws IOException; + String getLoginUrl(HttpServletRequest request) throws IOException; } diff --git a/src/main/java/onlyoffice/managers/auth/AuthContextImpl.java b/src/main/java/onlyoffice/managers/auth/AuthContextImpl.java index 1f045205..29595252 100644 --- a/src/main/java/onlyoffice/managers/auth/AuthContextImpl.java +++ b/src/main/java/onlyoffice/managers/auth/AuthContextImpl.java @@ -44,7 +44,7 @@ public boolean checkUserAuthorization(final HttpServletRequest request, final Ht return true; } - private String getLoginUrl(final HttpServletRequest request) throws IOException { + public String getLoginUrl(final HttpServletRequest request) throws IOException { StringBuilder stringBuilder = new StringBuilder(request.getContextPath()); String fullUrl = stringBuilder.append("/login.action?permissionViolation=true&os_destination=") .append("plugins%2Fservlet%2Fonlyoffice%2Fdoceditor").append("?") diff --git a/src/main/java/onlyoffice/managers/url/UrlManagerImpl.java b/src/main/java/onlyoffice/managers/url/UrlManagerImpl.java index 45907c07..3bd4db02 100644 --- a/src/main/java/onlyoffice/managers/url/UrlManagerImpl.java +++ b/src/main/java/onlyoffice/managers/url/UrlManagerImpl.java @@ -89,7 +89,10 @@ public String getFileUri(final Long attachmentId) { ConfluenceUser user = AuthenticatedUserThreadLocal.get(); Map params = new HashMap<>(); - params.put("userKey", user.getKey().getStringValue()); + + if (user != null) { + params.put("userKey", user.getKey().getStringValue()); + } params.put("attachmentId", attachmentId.toString()); params.put("action", "download"); diff --git a/src/main/java/onlyoffice/utils/attachment/AttachmentUtilImpl.java b/src/main/java/onlyoffice/utils/attachment/AttachmentUtilImpl.java index 985cde21..c29a935c 100644 --- a/src/main/java/onlyoffice/utils/attachment/AttachmentUtilImpl.java +++ b/src/main/java/onlyoffice/utils/attachment/AttachmentUtilImpl.java @@ -102,20 +102,12 @@ public Attachment getAttachmentByName(final String fileName, final Long pageId) } public boolean checkAccess(final Long attachmentId, final User user, final boolean forEdit) { - if (user == null) { - return false; - } - Attachment attachment = attachmentManager.getAttachment(attachmentId); return checkAccess(attachment, user, forEdit); } public boolean checkAccess(final Attachment attachment, final User user, final boolean forEdit) { - if (user == null) { - return false; - } - PermissionManager permissionManager = (PermissionManager) ContainerManager.getComponent("permissionManager"); if (forEdit) { From cb3894b39bf0a818b61e8c7bb6ea40dbbce7521e Mon Sep 17 00:00:00 2001 From: Aleksandr Fedorov Date: Mon, 18 Sep 2023 14:40:17 +0300 Subject: [PATCH 2/2] anonymous-access to changelog --- CHANGELOG.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 086d64c5..ea6f4a5a 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,7 +2,7 @@ ## ## Added -- access to editor for anonymous user +- opening documents for viewing by an anonymous user - edit button in ONLYOFFICE preview macro - link to docs cloud