cs3org · butonic · Jul 1, 2022 · Jul 1, 2022
@@ -0,0 +1,8 @@
+Bugfix: Forbid resharing with higher permissions
+
+When creating a public link from a viewer share a user was able to set editor permissions on that link.
+This was because of a missing check that is added now
+
+https://github.com/owncloud/ocis/issues/4061
+https://github.com/owncloud/ocis/issues/3881
+https://github.com/owncloud/ocis/pull/4077
@@ -119,6 +119,14 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
 		newPermissions = conversions.RoleFromOCSPermissions(permissions).CS3ResourcePermissions()
 	}
 
+	if !sufficientPermissions(statInfo.PermissionSet, newPermissions) {
+		return nil, &ocsError{
+			Code:    http.StatusNotFound,
+			Message: "Cannot set the requested share permissions",
+			Error:   errors.New("cannot set the requested share permissions"),
+		}
+	}
+
 	req := link.CreatePublicShareRequest{
 		ResourceInfo: statInfo,
 		Grant: &link.Grant{
@@ -342,6 +350,19 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 		}
 	}
 
+	statReq := provider.StatRequest{Ref: &provider.Reference{ResourceId: before.Share.ResourceId}}
+	statRes, err := gwC.Stat(r.Context(), &statReq)
+	if err != nil {
+		log.Debug().Err(err).Str("shares", "update public share").Msg("error during stat")
+		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "missing resource information", fmt.Errorf("error getting resource information"))
+		return
+	}
+
+	if !sufficientPermissions(statRes.Info.PermissionSet, newPermissions) {
+		response.WriteOCSError(w, r, response.MetaBadRequest.StatusCode, "no share permission", nil)
+		return
+	}
+
 	// ExpireDate
 	expireTimeString, ok := r.Form["expireDate"]
 	// check if value is set and must be updated or cleared
@@ -411,15 +432,6 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
 		return
 	}
 
-	statReq := provider.StatRequest{Ref: &provider.Reference{ResourceId: before.Share.ResourceId}}
-
-	statRes, err := gwC.Stat(r.Context(), &statReq)
-	if err != nil {
-		log.Debug().Err(err).Str("shares", "update public share").Msg("error during stat")
-		response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "missing resource information", fmt.Errorf("error getting resource information"))
-		return
-	}
-
 	s := conversions.PublicShare2ShareData(publicShare, r, h.publicURL)
 	err = h.addFileInfo(r.Context(), s, statRes.Info)
 	if err != nil {

@@ -455,8 +455,7 @@ func (h *Handler) extractPermissions(reqRole string, reqPermissions string, ri *
 		role = conversions.RoleFromOCSPermissions(permissions)
 	}
 
-	existingPermissions := conversions.RoleFromResourcePermissions(ri.PermissionSet).OCSPermissions()
-	if !existingPermissions.Contain(permissions) {
+	if !sufficientPermissions(ri.PermissionSet, role.CS3ResourcePermissions()) {
 		return nil, nil, &ocsError{
 			Code:    http.StatusNotFound,
 			Message: "Cannot set the requested share permissions",
@@ -1399,3 +1398,10 @@ func (h *Handler) getPoolClient() (gateway.GatewayAPIClient, error) {
 func (h *Handler) getHomeNamespace(u *userpb.User) string {
 	return templates.WithUser(u, h.homeNamespace)
 }
+
+// sufficientPermissions returns true if the `existing` permissions contain the `requested` permissions
+func sufficientPermissions(existing, requested *provider.ResourcePermissions) bool {
+	ep := conversions.RoleFromResourcePermissions(existing).OCSPermissions()
+	rp := conversions.RoleFromResourcePermissions(requested).OCSPermissions()
+	return ep.Contain(rp)
+}