Merge pull request #3403 from nextcloud/bugfix/middleware-asset

fix: Let wopi middleware also handle asset fetching

composer/composer/autoload_classmap.php

@@ -17,6 +17,7 @@
     'OCA\\Richdocuments\\Command\\InstallDefaultFonts' => $baseDir . '/../lib/Command/InstallDefaultFonts.php',
     'OCA\\Richdocuments\\Command\\UpdateEmptyTemplates' => $baseDir . '/../lib/Command/UpdateEmptyTemplates.php',
     'OCA\\Richdocuments\\Controller\\AssetsController' => $baseDir . '/../lib/Controller/AssetsController.php',
+    'OCA\\Richdocuments\\Controller\\Attribute\\RestrictToWopiServer' => $baseDir . '/../lib/Controller/Attribute/RestrictToWopiServer.php',
     'OCA\\Richdocuments\\Controller\\DirectViewController' => $baseDir . '/../lib/Controller/DirectViewController.php',
     'OCA\\Richdocuments\\Controller\\DocumentAPIController' => $baseDir . '/../lib/Controller/DocumentAPIController.php',
     'OCA\\Richdocuments\\Controller\\DocumentController' => $baseDir . '/../lib/Controller/DocumentController.php',

composer/composer/autoload_static.php

@@ -32,6 +32,7 @@ class ComposerStaticInitRichdocuments
         'OCA\\Richdocuments\\Command\\InstallDefaultFonts' => __DIR__ . '/..' . '/../lib/Command/InstallDefaultFonts.php',
         'OCA\\Richdocuments\\Command\\UpdateEmptyTemplates' => __DIR__ . '/..' . '/../lib/Command/UpdateEmptyTemplates.php',
         'OCA\\Richdocuments\\Controller\\AssetsController' => __DIR__ . '/..' . '/../lib/Controller/AssetsController.php',
+        'OCA\\Richdocuments\\Controller\\Attribute\\RestrictToWopiServer' => __DIR__ . '/..' . '/../lib/Controller/Attribute/RestrictToWopiServer.php',
         'OCA\\Richdocuments\\Controller\\DirectViewController' => __DIR__ . '/..' . '/../lib/Controller/DirectViewController.php',
         'OCA\\Richdocuments\\Controller\\DocumentAPIController' => __DIR__ . '/..' . '/../lib/Controller/DocumentAPIController.php',
         'OCA\\Richdocuments\\Controller\\DocumentController' => __DIR__ . '/..' . '/../lib/Controller/DocumentController.php',

lib/Controller/AssetsController.php

@@ -23,6 +23,7 @@
 
 namespace OCA\Richdocuments\Controller;
 
+use OCA\Richdocuments\Controller\Attribute\RestrictToWopiServer;
 use OCA\Richdocuments\Db\AssetMapper;
 use OCA\Richdocuments\Service\UserScopeService;
 use OCP\AppFramework\Controller;
@@ -92,6 +93,7 @@ public function create($path) {
 	 * @param string $token
 	 * @return Http\Response
 	 */
+	#[RestrictToWopiServer]
 	public function get($token) {
 		try {
 			$asset = $this->assetMapper->getAssetByToken($token);

lib/Controller/Attribute/RestrictToWopiServer.php

@@ -0,0 +1,31 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * @copyright Copyright (c) 2024 Julius Härtl <[email protected]>
+ *
+ * @author Julius Härtl <[email protected]>
+ *
+ * @license GNU AGPL version 3 or any later version
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as
+ * published by the Free Software Foundation, either version 3 of the
+ * License, or (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <http://www.gnu.org/licenses/>.
+ */
+
+namespace OCA\Richdocuments\Controller\Attribute;
+
+use Attribute;
+
+#[Attribute]
+class RestrictToWopiServer {
+}

lib/Controller/WopiController.php

@@ -24,6 +24,7 @@
 use OCA\Files_Versions\Versions\IVersionManager;
 use OCA\Richdocuments\AppConfig;
 use OCA\Richdocuments\AppInfo\Application;
+use OCA\Richdocuments\Controller\Attribute\RestrictToWopiServer;
 use OCA\Richdocuments\Db\Wopi;
 use OCA\Richdocuments\Db\WopiMapper;
 use OCA\Richdocuments\Events\DocumentOpenedEvent;
@@ -71,6 +72,7 @@
 use Psr\Container\NotFoundExceptionInterface;
 use Psr\Log\LoggerInterface;
 
+#[RestrictToWopiServer]
 class WopiController extends Controller {
 	/** @var IRootFolder */
 	private $rootFolder;

lib/Middleware/WOPIMiddleware.php

@@ -28,6 +28,7 @@
 namespace OCA\Richdocuments\Middleware;
 
 use OCA\Richdocuments\AppInfo\Application;
+use OCA\Richdocuments\Controller\Attribute\RestrictToWopiServer;
 use OCA\Richdocuments\Controller\WopiController;
 use OCA\Richdocuments\Db\WopiMapper;
 use OCA\Richdocuments\Exceptions\ExpiredTokenException;
@@ -41,29 +42,31 @@
 use OCP\IConfig;
 use OCP\IRequest;
 use Psr\Log\LoggerInterface;
+use ReflectionClass;
+use ReflectionMethod;
 use Symfony\Component\HttpFoundation\IpUtils;
 
 class WOPIMiddleware extends Middleware {
-	/** @var IConfig */
-	private $config;
-	/** @var IRequest */
-	private $request;
-	/** @var WopiMapper */
-	private $wopiMapper;
-	/** @var LoggerInterface */
-	private $logger;
-
-	public function __construct(IConfig $config, IRequest $request, WopiMapper $wopiMapper, LoggerInterface $logger) {
-		$this->config = $config;
-		$this->request = $request;
-		$this->wopiMapper = $wopiMapper;
-		$this->logger = $logger;
+	public function __construct(
+		private IConfig $config,
+		private IRequest $request,
+		private WopiMapper $wopiMapper,
+		private LoggerInterface $logger
+	) {
 	}
 
 	public function beforeController($controller, $methodName) {
 		parent::beforeController($controller, $methodName);
 
-		if ($controller instanceof WopiController && !$this->isWOPIAllowed()) {
+		// Check controllers that are only supposed to be called by Collabora directly
+		$reflectionClass = new ReflectionClass($controller);
+		$hasClassAttribute = !empty($reflectionClass->getAttributes(RestrictToWopiServer::class));
+
+		$reflectionMethod = new ReflectionMethod($controller, $methodName);
+		$hasMethodAttribute = !empty($reflectionMethod->getAttributes(RestrictToWopiServer::class));
+
+		$isRestricted = $hasClassAttribute || $hasMethodAttribute;
+		if ($isRestricted && !$this->isWOPIAllowed()) {
 			throw new NotPermittedException();
 		}