Skip to content

Commit

Permalink
fix: Apply checks on shares in the middleware
Browse files Browse the repository at this point in the history
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Signed-off-by: Max <max@nextcloud.com>
  • Loading branch information
juliusknorr authored and max-nextcloud committed Oct 1, 2024
1 parent 4f344a2 commit 7509d9c
Showing 1 changed file with 23 additions and 3 deletions.
26 changes: 23 additions & 3 deletions lib/Middleware/SessionMiddleware.php
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@
use OCP\AppFramework\Http\JSONResponse;
use OCP\AppFramework\Http\Response;
use OCP\AppFramework\Middleware;
use OCP\Constants;
use OCP\Files\IRootFolder;
use OCP\Files\NotPermittedException;
use OCP\IL10N;
use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager as ShareManager;
Expand All @@ -31,6 +33,7 @@ public function __construct(
private IRequest $request,
private SessionService $sessionService,
private DocumentService $documentService,
private ISession $session,
private IUserSession $userSession,
private IRootFolder $rootFolder,
private ShareManager $shareManager,
Expand Down Expand Up @@ -116,7 +119,7 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
$documentId = (int)$this->request->getParam('documentId');
if (null !== $userId = $this->userSession->getUser()?->getUID()) {
// Check if user has access to document
if (count($this->rootFolder->getUserFolder($userId)->getById($documentId)) === 0) {
if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) === null) {
throw new InvalidSessionException();
}
$controller->setUserId($userId);
Expand All @@ -126,8 +129,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
} catch (ShareNotFound) {
throw new InvalidSessionException();
}
// Check if shareToken has access to document
if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {

$node = $this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId);
if ($node === null) {
throw new InvalidSessionException();
}

if ($share->getPassword() !== null) {
$shareId = $this->session->get('public_link_authenticated');
if ($share->getId() !== $shareId) {
throw new InvalidSessionException();
}
}

if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
throw new InvalidSessionException();
}

$attributes = $share->getAttributes();
if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
throw new InvalidSessionException();
}
} else {
Expand Down

0 comments on commit 7509d9c

Please sign in to comment.