Disallow access to assistant task endpoints by anonymous users

Signed-off-by: MB-Finski <[email protected]>
nextcloud · Jan 31, 2024 · 6c141c7 · 6c141c7
1 parent 9972d47
commit 6c141c7
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 36 deletions.
diff --git a/lib/Controller/AssistantController.php b/lib/Controller/AssistantController.php
@@ -7,7 +7,6 @@
 use OCA\TpAssistant\Service\AssistantService;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
-use OCP\AppFramework\Http\Attribute\BruteForceProtection;
 use OCP\AppFramework\Http\Attribute\NoAdminRequired;
 use OCP\AppFramework\Http\Attribute\NoCSRFRequired;
 use OCP\AppFramework\Http\DataResponse;
@@ -34,45 +33,34 @@ public function __construct(
 	 */
 	#[NoAdminRequired]
 	#[NoCSRFRequired]
-	#[BruteForceProtection(action: 'taskResults')]
 	public function getTextProcessingTaskResultPage(int $taskId): TemplateResponse {
-		$task = $this->assistantService->getTextProcessingTask($this->userId, $taskId);
-
-		if ($task === null) {
-			$response = new TemplateResponse(
-				'',
-				'403',
-				[],
-				TemplateResponse::RENDER_AS_ERROR
-			);
-			$response->setStatus(Http::STATUS_NOT_FOUND);
-			$response->throttle(['userId' => $this->userId, 'taskId' => $taskId]);
-			return $response;
+
+		if ($this->userId !== null) {
+			$task = $this->assistantService->getTextProcessingTask($this->userId, $taskId);
+			if ($task !== null) {
+				$this->initialStateService->provideInitialState('task', $task->jsonSerializeCc());
+				return new TemplateResponse(Application::APP_ID, 'taskResultPage');
+			}
 		}
-		$this->initialStateService->provideInitialState('task', $task->jsonSerializeCc());
-		return new TemplateResponse(Application::APP_ID, 'taskResultPage');
+		return new TemplateResponse('','403',[],TemplateResponse::RENDER_AS_ERROR, Http::STATUS_FORBIDDEN);
 	}
 
 	/**
 	 * @param int $taskId
 	 * @return DataResponse
 	 */
 	#[NoAdminRequired]
-	#[BruteForceProtection(action: 'taskResults')]
 	public function getTextProcessingResult(int $taskId): DataResponse {
-		$task = $this->assistantService->getTextProcessingTask($this->userId, $taskId);
 
-		if ($task === null) {
-			$response = new DataResponse(
-				'',
-				Http::STATUS_NOT_FOUND
-			);
-			$response->throttle(['userId' => $this->userId, 'taskId' => $taskId]);
-			return $response;
+		if ($this->userId !== null) {
+			$task = $this->assistantService->getTextProcessingTask($this->userId, $taskId);
+			if ($task !== null) {
+				return new DataResponse([
+					'task' => $task->jsonSerializeCc(),
+				]);
+			}
 		}
-		return new DataResponse([
-			'task' => $task->jsonSerializeCc(),
-		]);
+		return new DataResponse('', Http::STATUS_NOT_FOUND);
 	}
 
 	/**
@@ -84,6 +72,10 @@ public function getTextProcessingResult(int $taskId): DataResponse {
 	 */
 	#[NoAdminRequired]
 	public function runTextProcessingTask(string $type, array $inputs, string $appId, string $identifier): DataResponse {
+		if ($this->userId === null) {
+			return new DataResponse('Unknow user', Http::STATUS_BAD_REQUEST);
+		}
+
 		try {
 			$task = $this->assistantService->runTextProcessingTask($type, $inputs, $appId, $this->userId, $identifier);
 		} catch (\Exception | \Throwable $e) {
@@ -103,6 +95,10 @@ public function runTextProcessingTask(string $type, array $inputs, string $appId
 	 */
 	#[NoAdminRequired]
 	public function scheduleTextProcessingTask(string $type, array $inputs, string $appId, string $identifier): DataResponse {
+		if ($this->userId === null) {
+			return new DataResponse('Unknow user', Http::STATUS_BAD_REQUEST);
+		}
+
 		try {
 			$task = $this->assistantService->scheduleTextProcessingTask($type, $inputs, $appId, $this->userId, $identifier);
 		} catch (\Exception | \Throwable $e) {
@@ -122,6 +118,10 @@ public function scheduleTextProcessingTask(string $type, array $inputs, string $
 	 */
 	#[NoAdminRequired]
 	public function runOrScheduleTextProcessingTask(string $type, array $inputs, string $appId, string $identifier): DataResponse {
+		if ($this->userId === null) {
+			return new DataResponse('Unknow user', Http::STATUS_BAD_REQUEST);
+		}
+
 		try {
 			$task = $this->assistantService->runOrScheduleTextProcessingTask($type, $inputs, $appId, $this->userId, $identifier);
 		} catch (\Exception | \Throwable $e) {
@@ -140,6 +140,10 @@ public function runOrScheduleTextProcessingTask(string $type, array $inputs, str
 	 */
 	#[NoAdminRequired]
 	public function parseTextFromFile(string $filePath): DataResponse {
+		if ($this->userId === null) {
+			return new DataResponse('Unknow user', Http::STATUS_BAD_REQUEST);
+		}
+
 		try {
 			$text = $this->assistantService->parseTextFromFile($filePath, $this->userId);
 		} catch (\Exception | \Throwable $e) {

diff --git a/lib/Service/AssistantService.php b/lib/Service/AssistantService.php
@@ -146,11 +146,11 @@ private function sanitizeInputs(string $type, array $inputs): array {
 	}
 
 	/**
-	 * @param string|null $userId
+	 * @param string $userId
 	 * @param int $taskId
 	 * @return Task
 	 */
-	public function getTextProcessingTask(?string $userId, int $taskId): ?Task {
+	public function getTextProcessingTask(string $userId, int $taskId): ?Task {
 		try {
 			$task = $this->taskMapper->getTask($taskId);
 		} catch (DoesNotExistException | MultipleObjectsReturnedException | \OCP\Db\Exception $e) {
@@ -183,13 +183,13 @@ public function getTextProcessingTask(?string $userId, int $taskId): ?Task {
 	 * @param string $type
 	 * @param array $input
 	 * @param string $appId
-	 * @param string|null $userId
+	 * @param string $userId
 	 * @param string $identifier
 	 * @return Task
 	 * @throws PreConditionNotMetException
 	 * @throws \Exception
 	 */
-	public function runTextProcessingTask(string $type, array $inputs, string $appId, ?string $userId, string $identifier): Task {
+	public function runTextProcessingTask(string $type, array $inputs, string $appId, string $userId, string $identifier): Task {
 		$inputs = $this->sanitizeInputs($type, $inputs);
 		switch ($type) {
 			case 'copywriter':
@@ -218,13 +218,13 @@ public function runTextProcessingTask(string $type, array $inputs, string $appId
 	 * @param string $type
 	 * @param array $input
 	 * @param string $appId
-	 * @param string|null $userId
+	 * @param string $userId
 	 * @param string $identifier
 	 * @return Task
 	 * @throws PreConditionNotMetException
 	 * @throws \Exception
 	 */
-	public function scheduleTextProcessingTask(string $type, array $inputs, string $appId, ?string $userId, string $identifier): Task {
+	public function scheduleTextProcessingTask(string $type, array $inputs, string $appId, string $userId, string $identifier): Task {
 		$inputs = $this->sanitizeInputs($type, $inputs);
 		switch ($type) {
 			case 'copywriter':
@@ -253,14 +253,14 @@ public function scheduleTextProcessingTask(string $type, array $inputs, string $
 	 * @param string $type
 	 * @param array<string> $inputs
 	 * @param string $appId
-	 * @param string|null $userId
+	 * @param string $userId
 	 * @param string $identifier
 	 * @return Task
 	 * @throws PreConditionNotMetException
 	 * @throws \OCP\Db\Exception
 	 * @throws \Exception
 	 */
-	public function runOrScheduleTextProcessingTask(string $type, array $inputs, string $appId, ?string $userId, string $identifier): Task {
+	public function runOrScheduleTextProcessingTask(string $type, array $inputs, string $appId, string $userId, string $identifier): Task {
 		$inputs = $this->sanitizeInputs($type, $inputs);
 		switch ($type) {
 			case 'copywriter':