From b3610b686dad0f6a602c1fe1dd3e9100b2621359 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Julius=20H=C3=A4rtl?= Date: Mon, 26 Aug 2024 15:43:28 +0200 Subject: [PATCH] fix: Check for share link authentication MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Julius Härtl --- lib/Controller/DocumentAPIController.php | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/lib/Controller/DocumentAPIController.php b/lib/Controller/DocumentAPIController.php index a3641eb724..fcbd3399c0 100644 --- a/lib/Controller/DocumentAPIController.php +++ b/lib/Controller/DocumentAPIController.php @@ -40,6 +40,7 @@ use OCP\Files\Lock\NoLockProviderException; use OCP\IL10N; use OCP\IRequest; +use OCP\ISession; use OCP\PreConditionNotMetException; use OCP\Share\IManager; use Psr\Log\LoggerInterface; @@ -52,9 +53,10 @@ class DocumentAPIController extends \OCP\AppFramework\OCSController { private $l10n; private $logger; private $lockManager; + private $session; private $userId; - public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ILockManager $lockManager, $userId) { + public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $shareManager, TemplateManager $templateManager, IL10N $l10n, LoggerInterface $logger, ILockManager $lockManager, ISession $session, $userId) { parent::__construct(Application::APPNAME, $request); $this->rootFolder = $rootFolder; $this->shareManager = $shareManager; @@ -62,6 +64,7 @@ public function __construct(IRequest $request, IRootFolder $rootFolder, IManager $this->l10n = $l10n; $this->logger = $logger; $this->lockManager = $lockManager; + $this->session = $session; $this->userId = $userId; } @@ -80,11 +83,17 @@ public function create(string $mimeType, string $fileName, string $directoryPath try { if ($shareToken !== null) { $share = $this->shareManager->getShareByToken($shareToken); + + if ($share->getPassword()) { + if (!$this->session->exists('public_link_authenticated') + || $this->session->get('public_link_authenticated') !== (string)$share->getId() + ) { + throw new Exception('Invalid password'); + } + } + if (!($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE)) { - return new JSONResponse([ - 'status' => 'error', - 'message' => $this->l10n->t('Not allowed to create document') - ], Http::STATUS_FORBIDDEN); + throw new Exception('No create permissions'); } }