Skip to content

Commit c41098e

Browse files
vitormattosvitormattos
authored
Merge pull request #7548 from LibreSign/backport/7539/stable33
[stable33] fix: allow signer thumbnail access and prefer file_id preview URLs
2 parents 0813155 + 874f7a0 commit c41098e

25 files changed

Lines changed: 404 additions & 46 deletions

File tree

.github/workflows/behat-mariadb.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -108,7 +108,7 @@ jobs:
108108
php-version: ${{ matrix.php-versions }}
109109
tools: phpunit
110110
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
111-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql
111+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql, imagick
112112
coverage: none
113113
ini-file: development
114114
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/behat-mysql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@ jobs:
112112
php-version: ${{ matrix.php-versions }}
113113
tools: phpunit
114114
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
115-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
115+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite, imagick
116116
coverage: none
117117
ini-file: development
118118
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/behat-pgsql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@ jobs:
111111
php-version: ${{ matrix.php-versions }}
112112
tools: phpunit
113113
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
114-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, pgsql, pdo_pgsql
114+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, pgsql, pdo_pgsql, imagick
115115
coverage: none
116116
ini-file: development
117117
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/behat-sqlite.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -102,7 +102,7 @@ jobs:
102102
php-version: ${{ matrix.php-versions }}
103103
tools: phpunit
104104
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
105-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
105+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite, imagick
106106
coverage: none
107107
ini-file: development
108108
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/phpunit-mariadb.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -113,7 +113,7 @@ jobs:
113113
with:
114114
php-version: ${{ matrix.php-versions }}
115115
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
116-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql
116+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql, imagick
117117
coverage: xdebug
118118
ini-file: development
119119
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/phpunit-mysql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -111,7 +111,7 @@ jobs:
111111
with:
112112
php-version: ${{ matrix.php-versions }}
113113
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
114-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql
114+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, mysql, pdo_mysql, imagick
115115
coverage: xdebug
116116
ini-file: development
117117
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/phpunit-pgsql.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -114,7 +114,7 @@ jobs:
114114
with:
115115
php-version: ${{ matrix.php-versions }}
116116
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
117-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, pgsql, pdo_pgsql
117+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, pgsql, pdo_pgsql, imagick
118118
coverage: xdebug
119119
ini-file: development
120120
# Temporary workaround for missing pcntl_* in PHP 8.3

.github/workflows/phpunit-sqlite.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -110,7 +110,7 @@ jobs:
110110
with:
111111
php-version: ${{ matrix.php-versions }}
112112
# https://docs.nextcloud.com/server/stable/admin_manual/installation/source_installation.html#prerequisites-for-manual-installation
113-
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite
113+
extensions: bz2, ctype, curl, dom, fileinfo, gd, iconv, intl, json, libxml, mbstring, openssl, pcntl, posix, session, simplexml, xmlreader, xmlwriter, zip, zlib, sqlite, pdo_sqlite, imagick
114114
coverage: xdebug
115115
ini-file: development
116116
# Temporary workaround for missing pcntl_* in PHP 8.3

lib/Controller/FileController.php

Lines changed: 3 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
use OCA\Libresign\Helper\JSActions;
1919
use OCA\Libresign\Helper\ValidateHelper;
2020
use OCA\Libresign\Middleware\Attribute\PrivateValidation;
21+
use OCA\Libresign\Middleware\Attribute\RequireFileAccess;
2122
use OCA\Libresign\Middleware\Attribute\RequireManager;
2223
use OCA\Libresign\Service\AccountService;
2324
use OCA\Libresign\Service\File\FileListService;
@@ -353,6 +354,7 @@ public function list(
353354
*/
354355
#[NoAdminRequired]
355356
#[NoCSRFRequired]
357+
#[RequireFileAccess('nodeId')]
356358
#[ApiRoute(verb: 'GET', url: '/api/{apiVersion}/file/thumbnail/{nodeId}', requirements: ['apiVersion' => '(v1)'])]
357359
public function getThumbnail(
358360
int $nodeId = -1,
@@ -369,9 +371,6 @@ public function getThumbnail(
369371

370372
try {
371373
$libreSignFile = $this->fileMapper->getByNodeId($nodeId);
372-
if ($libreSignFile->getUserId() !== $this->userSession->getUser()->getUID()) {
373-
return new DataResponse([], Http::STATUS_FORBIDDEN);
374-
}
375374

376375
if ($libreSignFile->getNodeType() === 'envelope') {
377376
if ($mimeFallback) {
@@ -411,6 +410,7 @@ public function getThumbnail(
411410
*/
412411
#[NoAdminRequired]
413412
#[NoCSRFRequired]
413+
#[RequireFileAccess('fileId')]
414414
#[ApiRoute(verb: 'GET', url: '/api/{apiVersion}/file/thumbnail/file_id/{fileId}', requirements: ['apiVersion' => '(v1)'])]
415415
public function getThumbnailByFileId(
416416
int $fileId = -1,
@@ -427,9 +427,6 @@ public function getThumbnailByFileId(
427427

428428
try {
429429
$libreSignFile = $this->fileMapper->getById($fileId);
430-
if ($libreSignFile->getUserId() !== $this->userSession->getUser()->getUID()) {
431-
return new DataResponse([], Http::STATUS_FORBIDDEN);
432-
}
433430

434431
if ($libreSignFile->getNodeType() === 'envelope') {
435432
if ($mimeFallback) {

lib/Middleware/Attribute/RequireFileAccess.php

Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
<?php
2+
3+
declare(strict_types=1);
4+
/**
5+
* SPDX-FileCopyrightText: 2026 LibreCode coop and contributors
6+
* SPDX-License-Identifier: AGPL-3.0-or-later
7+
*/
8+
9+
namespace OCA\Libresign\Middleware\Attribute;
10+
11+
use Attribute;
12+
13+
#[Attribute(Attribute::TARGET_METHOD)]
14+
class RequireFileAccess {
15+
public function __construct(
16+
private string $identifier = 'fileId',
17+
) {
18+
}
19+
20+
public function getIdentifier(): string {
21+
return $this->identifier;
22+
}
23+
}

0 commit comments

Comments
 (0)