Skip to content

Commit 4ba8fb0

Browse files
juliusknorrjuliusknorr
authored
Merge pull request #1887 from nextcloud/backport/1884/stable20
[stable20] Additional checks for workspace controller
2 parents 1247400 + ac90f53 commit 4ba8fb0

File tree

1 file changed

+16
-1
lines changed

1 file changed

+16
-1
lines changed

lib/Controller/WorkspaceController.php

Lines changed: 16 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,6 +55,7 @@
5555
use OCP\AppFramework\Http\DataResponse;
5656
use OCP\AppFramework\Http\TemplateResponse;
5757
use OCP\AppFramework\OCSController;
58+
use OCP\Constants;
5859
use OCP\DirectEditing\IManager as IDirectEditingManager;
5960
use OCP\DirectEditing\RegisterDirectEditorEvent;
6061
use OCP\EventDispatcher\IEventDispatcher;
@@ -64,6 +65,7 @@
6465
use OCP\Files\NotPermittedException;
6566
use OCP\Files\StorageNotAvailableException;
6667
use OCP\IRequest;
68+
use OCP\ISession;
6769
use OCP\IURLGenerator;
6870
use OCP\Share\Exceptions\ShareNotFound;
6971
use OCP\Share\IManager;
@@ -95,7 +97,10 @@ class WorkspaceController extends OCSController {
9597
/** @var LoggerInterface */
9698
private $logger;
9799

98-
public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, $userId) {
100+
/** @var ISession */
101+
private $session;
102+
103+
public function __construct($appName, IRequest $request, IRootFolder $rootFolder, IManager $shareManager, IDirectEditingManager $directEditingManager, IURLGenerator $urlGenerator, WorkspaceService $workspaceService, IEventDispatcher $eventDispatcher, LoggerInterface $logger, ISession $session, $userId) {
99104
parent::__construct($appName, $request);
100105
$this->rootFolder = $rootFolder;
101106
$this->shareManager = $shareManager;
@@ -105,6 +110,7 @@ public function __construct($appName, IRequest $request, IRootFolder $rootFolder
105110
$this->urlGenerator = $urlGenerator;
106111
$this->eventDispatcher = $eventDispatcher;
107112
$this->logger = $logger;
113+
$this->session = $session;
108114
}
109115

110116
/**
@@ -158,6 +164,15 @@ public function folder(string $path = '/'): DataResponse {
158164
public function publicFolder(string $shareToken, string $path = '/'): DataResponse {
159165
try {
160166
$share = $this->shareManager->getShareByToken($shareToken);
167+
if (!($share->getPermissions() & Constants::PERMISSION_READ)) {
168+
throw new ShareNotFound();
169+
}
170+
if ($share->getPassword() !== null) {
171+
$shareId = $this->session->get('public_link_authenticated');
172+
if ($share->getId() !== $shareId) {
173+
throw new ShareNotFound();
174+
}
175+
}
161176
$folder = $share->getNode()->get($path);
162177
if ($folder instanceof Folder) {
163178
$file = $this->workspaceService->getFile($folder);

0 commit comments

Comments
 (0)