fix: Replace the deprecated direct download link with the public DAV endpoint

This currently prevent directly accessing a resource when clicking on a link on a third party site. Example, clicking on `https://example.com/public.php/dav/files/pqLWcA269zfzXez/?accept=zip` in a GitHub comment.

Skipping the check is an issue with password protected shares, as it allows third party sites to request the resource when the user already entered the password, aka CSRF.  So after removing the check from `base.php`, we need to add it again in the `PublicAuth` plugin.

We also add a redirect to be helpful to the user.

**Warning**: this adds the limitation that clicking on a direct download link for password protected shares will redirect you to the password form, and then to the main share view.
Another solution would be to do the redirect from the front-end.

- Fix #52482
- Improved version of original closed PR: #52657

Signed-off-by: Louis Chemineau <louis@chmn.me>

Author: artonge

3rdparty

@@ -81,6 +81,7 @@ public function check(RequestInterface $request, ResponseInterface $response): a
 			return $this->checkToken();
 		} catch (NotAuthenticated|MaxDelayReached $e) {
 			$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
+			throw $e;
 		} catch (NotAuthenticated $e) {
 			$response->setHeader(
 				'Location',

apps/dav/lib/Connector/Sabre/PublicAuth.php

@@ -153,6 +153,7 @@ public function renderPage(IShare $share, string $token, string $path): Template
 				'token' => $token,
 				'filename' => ($shareNode instanceof File) ? $shareNode->getName() : null,
 			]);
+			// $downloadUrl = $this->urlGenerator->getAbsoluteURL('/public.php/dav/files/' . $token . '/?accept=zip');
 
 			// If not a file drop, then add the download header action
 			$headerActions[] = new SimpleMenuAction('download', $this->l10n->t('Download'), 'icon-download', $downloadUrl, 0, (string)$shareNode->getSize());