Merge pull request #3229 from owncloud/capabilities-for-public-links

allow requesting capabilities from password protected links
owncloud · Feb 24, 2022 · 479468c · 479468c
2 parents e92e84d + e870208
commit 479468c
Show file tree

Hide file tree

Showing 3 changed files with 63 additions and 3 deletions.
diff --git a/changelog/unreleased/fix-capabilities-for-public-links.md b/changelog/unreleased/fix-capabilities-for-public-links.md
@@ -0,0 +1,7 @@
+Bugfix: Capabilities for password protected public links
+
+Allow password protected public links to request capabilities.
+
+https://github.com/owncloud/ocis/pull/3229
+https://github.com/owncloud/web/pull/6471
+https://github.com/owncloud/web/issues/5863
diff --git a/proxy/pkg/middleware/basic_auth.go b/proxy/pkg/middleware/basic_auth.go
@@ -11,8 +11,6 @@ import (
  "github.com/owncloud/ocis/proxy/pkg/webdav"
 )
 
-const publicFilesEndpoint = "/remote.php/dav/public-files/"
-
 // BasicAuth provides a middleware to check if BasicAuth is provided
 func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
  options := newOptions(optionSetters...)
@@ -111,7 +109,25 @@ type basicAuth struct {
 
 func (m basicAuth) isPublicLink(req *http.Request) bool {
  login, _, ok := req.BasicAuth()
- return ok && login == "public" && strings.HasPrefix(req.URL.Path, publicFilesEndpoint)
+
+ if !ok || login != "public" {
+ return false
+ }
+
+ publicPaths := []string{
+ "/remote.php/dav/public-files/",
+ "/ocs/v1.php/cloud/capabilities",
+ }
+ isPublic := false
+
+ for _, p := range publicPaths {
+ if strings.HasPrefix(req.URL.Path, p) {
+ isPublic = true
+ break
+ }
+ }
+
+ return isPublic
 }
 
 // The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest

diff --git a/proxy/pkg/middleware/basic_auth_test.go b/proxy/pkg/middleware/basic_auth_test.go
@@ -1,3 +1,40 @@
 package middleware
 
+import (
+ "net/http/httptest"
+ "testing"
+)
+
 /**/
+
+func TestBasicAuth__isPublicLink(t *testing.T) {
+ tests := []struct {
+ url string
+ username string
+ expected bool
+ }{
+ {url: "/remote.php/dav/public-files/", username: "", expected: false},
+ {url: "/remote.php/dav/public-files/", username: "abc", expected: false},
+ {url: "/remote.php/dav/public-files/", username: "private", expected: false},
+ {url: "/remote.php/dav/public-files/", username: "public", expected: true},
+ {url: "/ocs/v1.php/cloud/capabilities", username: "", expected: false},
+ {url: "/ocs/v1.php/cloud/capabilities", username: "abc", expected: false},
+ {url: "/ocs/v1.php/cloud/capabilities", username: "private", expected: false},
+ {url: "/ocs/v1.php/cloud/capabilities", username: "public", expected: true},
+ {url: "/ocs/v1.php/cloud/users/admin", username: "public", expected: false},
+ }
+ ba := basicAuth{}
+
+ for _, tt := range tests {
+ req := httptest.NewRequest("", tt.url, nil)
+
+ if tt.username != "" {
+ req.SetBasicAuth(tt.username, "")
+ }
+
+ result := ba.isPublicLink(req)
+ if result != tt.expected {
+ t.Errorf("with %s expected %t got %t", tt.url, tt.expected, result)
+ }
+ }
+}