Check share attributes on preview endpoints

Signed-off-by: Julius Härtl <jus@bitgrid.net>

apps/files_sharing/lib/Controller/PublicPreviewController.php

@@ -109,6 +109,11 @@ public function getPreview(
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {
@@ -159,6 +164,11 @@ public function directLink(string $token) {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {

core/Controller/PreviewController.php

@@ -27,6 +27,7 @@
  */
 namespace OC\Core\Controller;
 
+use OCA\Files_Sharing\SharedStorage;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
@@ -37,6 +38,7 @@
 use OCP\Files\NotFoundException;
 use OCP\IPreview;
 use OCP\IRequest;
+use OCP\Share\IShare;
 
 class PreviewController extends Controller {
 	private string $userId;
@@ -129,6 +131,16 @@ private function fetchPreview(
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$storage = $node->getStorage();
+		if ($storage->instanceOfStorage(SharedStorage::class)) {
+			/** @var SharedStorage $storage */
+			$share = $storage->getShare();
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+				return new DataResponse([], Http::STATUS_FORBIDDEN);
+			}
+		}
+
 		try {
 			$f = $this->preview->getPreview($node, $x, $y, !$a, $mode);
 			$response = new FileDisplayResponse($f, Http::STATUS_OK, [