Check share attributes on preview endpoints

Signed-off-by: Julius Härtl <jus@bitgrid.net>
nextcloud · Oct 25, 2022 · 8629d8e · 8629d8e
1 parent e3aac7d
commit 8629d8e
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 0 deletions.
diff --git a/apps/files_sharing/lib/Controller/PublicPreviewController.php b/apps/files_sharing/lib/Controller/PublicPreviewController.php
@@ -109,6 +109,11 @@ public function getPreview(
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {
@@ -159,6 +164,11 @@ public function directLink(string $token) {
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		try {
 			$node = $share->getNode();
 			if ($node instanceof Folder) {

diff --git a/core/Controller/PreviewController.php b/core/Controller/PreviewController.php
@@ -27,6 +27,7 @@
  */
 namespace OC\Core\Controller;
 
+use OCA\Files_Sharing\SharedStorage;
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
@@ -129,6 +130,16 @@ private function fetchPreview(
 			return new DataResponse([], Http::STATUS_FORBIDDEN);
 		}
 
+		$storage = $node->getStorage();
+		if ($storage->instanceOfStorage(SharedStorage::class)) {
+			/** @var SharedStorage $storage */
+			$share = $storage->getShare();
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+				return new DataResponse([], Http::STATUS_FORBIDDEN);
+			}
+		}
+
 		try {
 			$f = $this->preview->getPreview($node, $x, $y, !$a, $mode);
 			$response = new FileDisplayResponse($f, Http::STATUS_OK, [

diff --git a/tests/Core/Controller/PreviewControllerTest.php b/tests/Core/Controller/PreviewControllerTest.php
@@ -32,6 +32,7 @@
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
 use OCP\Files\SimpleFS\ISimpleFile;
+use OCP\Files\Storage\IStorage;
 use OCP\IPreview;
 use OCP\IRequest;
 
@@ -176,6 +177,10 @@ public function testNoPreview() {
 			->with($this->equalTo('file'))
 			->willReturn($file);
 
+		$storage = $this->createMock(IStorage::class);
+		$file->method('getStorage')
+			->willReturn($storage);
+
 		$this->previewManager->method('isAvailable')
 			->with($this->equalTo($file))
 			->willReturn(true);
@@ -211,6 +216,10 @@ public function testValidPreview() {
 		$file->method('isReadable')
 			->willReturn(true);
 
+		$storage = $this->createMock(IStorage::class);
+		$file->method('getStorage')
+			->willReturn($storage);
+
 		$preview = $this->createMock(ISimpleFile::class);
 		$preview->method('getName')->willReturn('my name');
 		$preview->method('getMTime')->willReturn(42);