fix: Skip disabled download files when requesting assets

Signed-off-by: Julius Härtl <jus@bitgrid.net>

lib/Controller/AssetsController.php

@@ -23,6 +23,7 @@
 
 namespace OCA\Richdocuments\Controller;
 
+use OCA\Files_Sharing\SharedStorage;
 use OCA\Richdocuments\Controller\Attribute\RestrictToWopiServer;
 use OCA\Richdocuments\Db\AssetMapper;
 use OCA\Richdocuments\Service\UserScopeService;
@@ -35,6 +36,7 @@
 use OCP\Files\File;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
+use OCP\Files\NotPermittedException;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 
@@ -73,8 +75,24 @@ public function create($path) {
 
 		try {
 			$node = $userFolder->get($path);
+
+			if (!($node instanceof File)) {
+				return new JSONResponse([], Http::STATUS_NOT_FOUND);
+			}
+
+			$storage = $node->getStorage();
+			if ($storage->instanceOfStorage(SharedStorage::class)) {
+				/** @var SharedStorage $storage */
+				$share = $storage->getShare();
+				$attributes = $share->getAttributes();
+				if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+					throw new NotPermittedException();
+				}
+			}
 		} catch (NotFoundException $e) {
 			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+		} catch (NotPermittedException $e) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
 		}
 
 		$asset = $this->assetMapper->newAsset($this->userId, $node->getId());