Check share attributes on preview endpoints

Signed-off-by: Julius Härtl <jus@bitgrid.net>
3 years ago · 8629d8e44f
parent e3aac7d573
commit 8629d8e44f
3 changed files with 30 additions and 0 deletions
--- a/apps/files_sharing/lib/Controller/PublicPreviewController.php
+++ b/apps/files_sharing/lib/Controller/PublicPreviewController.php
@ -109,6 +109,11 @@ class PublicPreviewController extends PublicShareController {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}

+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {
@ -159,6 +164,11 @@ class PublicPreviewController extends PublicShareController {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}

+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {
--- a/core/Controller/PreviewController.php
+++ b/core/Controller/PreviewController.php
@ -27,6 +27,7 @@ declare(strict_types=1);
 */
 namespace OC\Core\Controller;

+use OCA\Files_Sharing\SharedStorage;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
@ -129,6 +130,16 @@ class PreviewController extends Controller {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}

+		$storage = $node->getStorage();
+		if ($storage->instanceOfStorage(SharedStorage::class)) {
+			/** @var SharedStorage $storage */
+			$share = $storage->getShare();
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+				return new DataResponse([], Http::STATUS_FORBIDDEN);
+			}
+		}
+
 		try {
 			$f = $this->preview->getPreview($node, $x, $y, !$a, $mode);
 			$response = new FileDisplayResponse($f, Http::STATUS_OK, [
--- a/tests/Core/Controller/PreviewControllerTest.php
+++ b/tests/Core/Controller/PreviewControllerTest.php
@ -32,6 +32,7 @@ use OCP\Files\Folder;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\Files\SimpleFS\ISimpleFile;
+use OCP\Files\Storage\IStorage;
 use OCP\IPreview;
 use OCP\IRequest;

@ -176,6 +177,10 @@ class PreviewControllerTest extends \Test\TestCase {
 			->with($this->equalTo('file'))
 			->willReturn($file);

+		$storage = $this->createMock(IStorage::class);
+		$file->method('getStorage')
+			->willReturn($storage);
+
 		$this->previewManager->method('isAvailable')
 			->with($this->equalTo($file))
 			->willReturn(true);
@ -211,6 +216,10 @@ class PreviewControllerTest extends \Test\TestCase {
 		$file->method('isReadable')
 			->willReturn(true);

+		$storage = $this->createMock(IStorage::class);
+		$file->method('getStorage')
+			->willReturn($storage);
+
 		$preview = $this->createMock(ISimpleFile::class);
 		$preview->method('getName')->willReturn('my name');
 		$preview->method('getMTime')->willReturn(42);