[stable10] Backport of #34622 and #33180

apps/dav/lib/Connector/Sabre/CorsPlugin.php

@@ -48,6 +48,10 @@ class CorsPlugin extends ServerPlugin {
 
 	/** @var array */
 	private $extraHeaders;
+	/**
+	 * @var bool
+	 */
+	private $alreadyExecuted = false;
 
 	/**
 	 * @param IUserSession $userSession
@@ -105,9 +109,13 @@ public function initialize(\Sabre\DAV\Server $server) {
 		}
 
 		$this->server->on('beforeMethod', [$this, 'setCorsHeaders']);
-		$this->server->on('beforeMethod:OPTIONS', [$this, 'setOptionsRequestHeaders']);
+		$this->server->on('exception', [$this, 'onException']);
+		$this->server->on('beforeMethod:OPTIONS', [$this, 'setOptionsRequestHeaders'], 5);
 	}
 
+	public function onException(\Throwable $ex) {
+		$this->setCorsHeaders($this->server->httpRequest, $this->server->httpResponse);
+	}
 	/**
 	 * This method sets the cors headers for all requests
 	 *
@@ -116,18 +124,23 @@ public function initialize(\Sabre\DAV\Server $server) {
 	 * @return void
 	 */
 	public function setCorsHeaders(RequestInterface $request, ResponseInterface $response) {
-		if ($request->getHeader('origin') !== null) {
-			$requesterDomain = $request->getHeader('origin');
-			// unauthenticated request shall add cors headers as well
-			$userId = null;
-			if ($this->userSession->getUser() !== null) {
-				$userId = $this->userSession->getUser()->getUID();
-			}
+		if ($request->getHeader('origin') === null) {
+			return;
+		}
+		if ($this->alreadyExecuted) {
+			return;
+		}
+		$this->alreadyExecuted = true;
+		$requesterDomain = $request->getHeader('origin');
+		// unauthenticated request shall add cors headers as well
+		$userId = null;
+		if ($this->userSession->getUser() !== null) {
+			$userId = $this->userSession->getUser()->getUID();
+		}
 
-			$headers = \OC_Response::setCorsHeaders($userId, $requesterDomain, null, $this->getExtraHeaders($request));
-			foreach ($headers as $key => $value) {
-				$response->addHeader($key, \implode(',', $value));
-			}
+		$headers = \OC_Response::setCorsHeaders($userId, $requesterDomain, null, $this->getExtraHeaders($request));
+		foreach ($headers as $key => $value) {
+			$response->addHeader($key, \implode(',', $value));
 		}
 	}
 

apps/federatedfilesharing/lib/Controller/RequestHandlerController.php

@@ -32,6 +32,7 @@
 use OCA\FederatedFileSharing\FedShareManager;
 use OCA\FederatedFileSharing\Middleware\OcmMiddleware;
 use OCA\FederatedFileSharing\Ocm\Exception\BadRequestException;
+use OCA\FederatedFileSharing\Ocm\Exception\ForbiddenException;
 use OCA\FederatedFileSharing\Ocm\Exception\NotImplementedException;
 use OCA\FederatedFileSharing\Ocm\Exception\OcmException;
 use OCP\AppFramework\Http;
@@ -255,6 +256,18 @@ public function acceptShare($id) {
 			$token = $this->request->getParam('token', null);
 			$share = $this->ocmMiddleware->getValidShare($id, $token);
 			$this->fedShareManager->acceptShare($share);
+		} catch (BadRequestException $e) {
+			return new Result(
+				null,
+				Http::STATUS_GONE,
+				$e->getMessage()
+			);
+		} catch (ForbiddenException $e) {
+			return new Result(
+				null,
+				Http::STATUS_FORBIDDEN,
+				$e->getMessage()
+			);
 		} catch (NotImplementedException $e) {
 			return new Result(
 				null,
@@ -281,6 +294,18 @@ public function declineShare($id) {
 			$this->ocmMiddleware->assertOutgoingSharingEnabled();
 			$share = $this->ocmMiddleware->getValidShare($id, $token);
 			$this->fedShareManager->declineShare($share);
+		} catch (BadRequestException $e) {
+			return new Result(
+				null,
+				Http::STATUS_GONE,
+				$e->getMessage()
+			);
+		} catch (ForbiddenException $e) {
+			return new Result(
+				null,
+				Http::STATUS_FORBIDDEN,
+				$e->getMessage()
+			);
 		} catch (NotImplementedException $e) {
 			return new Result(
 				null,

apps/federatedfilesharing/tests/Controller/RequestHandlerTest.php

@@ -308,6 +308,42 @@ public function testAcceptSuccess() {
 		);
 	}
 
+	public function testAcceptFailedWhenInvalidShareId() {
+		$this->request->expects($this->any())
+			->method('getParam')
+			->willReturn(self::DEFAULT_TOKEN);
+
+		$this->ocmMiddleware->method('getValidShare')
+			->willThrowException(new BadRequestException());
+
+		$this->fedShareManager->expects($this->never())
+			->method('acceptShare');
+
+		$response = $this->requestHandlerController->acceptShare(2);
+		$this->assertEquals(
+			Http::STATUS_GONE,
+			$response->getStatusCode()
+		);
+	}
+
+	public function testAcceptFailedWhenShareIdHasInvalidSecret() {
+		$this->request->expects($this->any())
+			->method('getParam')
+			->willReturn(self::DEFAULT_TOKEN);
+
+		$this->ocmMiddleware->method('getValidShare')
+			->willThrowException(new ForbiddenException());
+
+		$this->fedShareManager->expects($this->never())
+			->method('acceptShare');
+
+		$response = $this->requestHandlerController->acceptShare(2);
+		$this->assertEquals(
+			Http::STATUS_FORBIDDEN,
+			$response->getStatusCode()
+		);
+	}
+
 	public function testDeclineFailedWhenSharingIsDisabled() {
 		$this->ocmMiddleware->method('assertOutgoingSharingEnabled')
 			->willThrowException(new NotImplementedException());
@@ -346,6 +382,42 @@ public function testDeclineSuccess() {
 		);
 	}
 
+	public function testDeclineFailedWhenInvalidShareId() {
+		$this->request->expects($this->any())
+			->method('getParam')
+			->willReturn(self::DEFAULT_TOKEN);
+
+		$this->ocmMiddleware->method('getValidShare')
+			->willThrowException(new BadRequestException());
+
+		$this->fedShareManager->expects($this->never())
+			->method('declineShare');
+
+		$response = $this->requestHandlerController->declineShare(2);
+		$this->assertEquals(
+			Http::STATUS_GONE,
+			$response->getStatusCode()
+		);
+	}
+
+	public function testDeclineFailedWhenShareIdHasInvalidSecret() {
+		$this->request->expects($this->any())
+			->method('getParam')
+			->willReturn(self::DEFAULT_TOKEN);
+
+		$this->ocmMiddleware->method('getValidShare')
+			->willThrowException(new ForbiddenException());
+
+		$this->fedShareManager->expects($this->never())
+			->method('declineShare');
+
+		$response = $this->requestHandlerController->declineShare(2);
+		$this->assertEquals(
+			Http::STATUS_FORBIDDEN,
+			$response->getStatusCode()
+		);
+	}
+
 	public function testUnshareFailedWhenSharingIsDisabled() {
 		$this->ocmMiddleware->method('assertOutgoingSharingEnabled')
 			->willThrowException(new NotImplementedException());

apps/files_sharing/appinfo/routes.php

@@ -50,7 +50,52 @@
 			'name' => 'sharees#search',
 			'url' => '/api/v1/sharees',
 			'verb' => 'GET',
-		]
+		],
+		[
+			'name' => 'Share20Ocs#getShares',
+			'url' => '/api/v1/shares',
+			'verb' => 'GET'
+		],
+		[
+			'name' => 'Share20Ocs#createShare',
+			'url' => '/api/v1/shares',
+			'verb' => 'POST'
+		],
+		[
+			'name' => 'Share20Ocs#acceptShare',
+			'url' => '/api/v1/shares/pending/{id}',
+			'verb' => 'POST'
+		],
+		[
+			'name' => 'Share20Ocs#declineShare',
+			'url' => '/api/v1/shares/pending/{id}',
+			'verb' => 'DELETE'
+		],
+		[
+			'name' => 'Share20Ocs#getShare',
+			'url' => '/api/v1/shares/{id}',
+			'verb' => 'GET'
+		],
+		[
+			'name' => 'Share20Ocs#updateShare',
+			'url' => '/api/v1/shares/{id}',
+			'verb' => 'PUT'
+		],
+		[
+			'name' => 'Share20Ocs#deleteShare',
+			'url' => '/api/v1/shares/{id}',
+			'verb' => 'DELETE'
+		],
+		[
+			'name' => 'Share20Ocs#notifyRecipients',
+			'url' => '/api/v1/notification/send',
+			'verb' => 'POST'
+		],
+		[
+			'name' => 'Share20Ocs#notifyRecipientsDisabled',
+			'url' => '/api/v1/notification/marksent',
+			'verb' => 'POST'
+		],
 	]
 ]);
 
@@ -70,46 +115,8 @@ function () {
 	->actionInclude('files_sharing/ajax/external.php');
 
 // OCS API
-
 //TODO: SET: mail notification, waiting for PR #4689 to be accepted
 
-$OCSShare = new \OCA\Files_Sharing\API\OCSShareWrapper($application);
-
-API::register('get',
-		'/apps/files_sharing/api/v1/shares',
-		[$OCSShare, 'getAllShares'],
-		'files_sharing');
-
-API::register('post',
-		'/apps/files_sharing/api/v1/shares',
-		[$OCSShare, 'createShare'],
-		'files_sharing');
-
-API::register('post',
-		'/apps/files_sharing/api/v1/shares/pending/{id}',
-		[$OCSShare, 'acceptShare'],
-		'files_sharing');
-
-API::register('delete',
-		'/apps/files_sharing/api/v1/shares/pending/{id}',
-		[$OCSShare, 'declineShare'],
-		'files_sharing');
-
-API::register('get',
-		'/apps/files_sharing/api/v1/shares/{id}',
-		[$OCSShare, 'getShare'],
-		'files_sharing');
-
-API::register('put',
-		'/apps/files_sharing/api/v1/shares/{id}',
-		[$OCSShare, 'updateShare'],
-		'files_sharing');
-
-API::register('delete',
-		'/apps/files_sharing/api/v1/shares/{id}',
-		[$OCSShare, 'deleteShare'],
-		'files_sharing');
-
 API::register('get',
 		'/apps/files_sharing/api/v1/remote_shares',
 		['\OCA\Files_Sharing\API\Remote', 'getShares'],