From 7edf59f3129ab1a263f7816aea8b8b58fad65d04 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Thu, 11 Jan 2024 10:57:22 +0100
Subject: [PATCH] fix: Let wopi middleware also handle asset fetching
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Middleware/WOPIMiddleware.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/lib/Middleware/WOPIMiddleware.php b/lib/Middleware/WOPIMiddleware.php
index c8ed42bbbd..f2ffb30221 100644
--- a/lib/Middleware/WOPIMiddleware.php
+++ b/lib/Middleware/WOPIMiddleware.php
@@ -28,6 +28,7 @@
 namespace OCA\Richdocuments\Middleware;
 
 use OCA\Richdocuments\AppInfo\Application;
+use OCA\Richdocuments\Controller\AssetsController;
 use OCA\Richdocuments\Controller\WopiController;
 use OCA\Richdocuments\Db\WopiMapper;
 use OCA\Richdocuments\Exceptions\ExpiredTokenException;
@@ -63,7 +64,11 @@ public function __construct(IConfig $config, IRequest $request, WopiMapper $wopi
 	public function beforeController($controller, $methodName) {
 		parent::beforeController($controller, $methodName);
 
-		if ($controller instanceof WopiController && !$this->isWOPIAllowed()) {
+		// Check controllers that are only supposed to be called by Collabora directly
+		// FIXME: This can be moved to a PHP attribute in the future
+		$isRestrictedController = $controller instanceof WopiController
+			|| ($controller instanceof AssetsController && $methodName === 'get');
+		if ($isRestrictedController && !$this->isWOPIAllowed()) {
 			throw new NotPermittedException();
 		}