fix: Check for share link authentication

Signed-off-by: Julius Härtl <[email protected]>
nextcloud · Oct 16, 2024 · b3610b6 · b3610b6
1 parent 087db41
commit b3610b6
Showing 1 changed file with 14 additions and 5 deletions.
diff --git a/lib/Controller/DocumentAPIController.php b/lib/Controller/DocumentAPIController.php
@@ -40,6 +40,7 @@
 use OCP\Files\Lock\NoLockProviderException;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\PreConditionNotMetException;
 use OCP\Share\IManager;
 use Psr\Log\LoggerInterface;
@@ -52,16 +53,18 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController {
 	private $l10n;
 	private $logger;
 	private $lockManager;
+	private $session;
 	private $userId;
 
-	public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ILockManager $lockManager, $userId) {
+	public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ILockManager $lockManager, ISession $session, $userId) {
 		parent::__construct(Application::APPNAME, $request);
 		$this->rootFolder = $rootFolder;
 		$this->shareManager = $shareManager;
 		$this->templateManager = $templateManager;
 		$this->l10n = $l10n;
 		$this->logger = $logger;
 		$this->lockManager = $lockManager;
+		$this->session = $session;
 		$this->userId = $userId;
 	}
 
@@ -80,11 +83,17 @@ public function create(string $mimeType, string $fileName, string $directoryPath
 		try {
 			if ($shareToken !== null) {
 				$share = $this->shareManager->getShareByToken($shareToken);
+
+				if ($share->getPassword()) {
+					if (!$this->session->exists('public_link_authenticated')
+						|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
+					) {
+						throw new Exception('Invalid password');
+					}
+				}
+
 				if (!($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE)) {
-					return new JSONResponse([
-						'status' => 'error',
-						'message' => $this->l10n->t('Not allowed to create document')
-					], Http::STATUS_FORBIDDEN);
+					throw new Exception('No create permissions');
 				}
 			}