Fix revoke member from a shared drive (#4574)

nono · web-flow · commit 1984f4083a6e · 2025-09-25T18:16:52.000+02:00
diff --git a/model/sharing/invitation.go b/model/sharing/invitation.go
@@ -50,10 +50,11 @@ func (s *Sharing) SendInvitations(inst *instance.Instance, perms *permission.Per
 
 			link := m.InvitationLink(inst, s, state, perms)
 			if m.Instance != "" && canSendShortcut {
+				m.Status = MemberStatusPendingInvitation
 				if err := m.SendShortcut(inst, s, link); err == nil {
-					m.Status = MemberStatusPendingInvitation
 					return nil
 				}
+				m.Status = MemberStatusMailNotSent
 			}
 			if m.Email == "" {
 				if len(m.Groups) > 0 {
diff --git a/model/sharing/member.go b/model/sharing/member.go
@@ -961,17 +961,23 @@ func (s *Sharing) RevokeMember(inst *instance.Instance, index int) error {
 	c := &s.Credentials[index-1]
 
 	// No need to contact the revoked member if the sharing is not ready
-	if m.Status == MemberStatusReady {
+	if m.Status == MemberStatusReady || s.Drive {
 		if err := s.NotifyMemberRevocation(inst, m, c); err != nil {
 			inst.Logger().WithNamespace("sharing").
 				Warnf("Error on revocation notification: %s", err)
 		}
+	}
 
+	if m.Status == MemberStatusReady {
 		if err := DeleteOAuthClient(inst, m, c); err != nil {
 			return err
 		}
 	}
 
+	if err := s.RemoveInteractPermissionsForAMember(inst, m, index); err != nil {
+		return err
+	}
+
 	// We may have concurrency issues where RevokeMember is called several
 	// times on different goroutines/processes. So, we may need to retry the
 	// operation several times.
@@ -1025,8 +1031,22 @@ func (s *Sharing) NotifyMemberRevocation(inst *instance.Instance, m *Member, c *
 	if m.Instance == "" || err != nil {
 		return ErrInvalidSharing
 	}
-	if c.Client == nil || c.AccessToken == nil {
-		return ErrNoOAuthClient
+	var token string
+	if s.Drive {
+		interact, err := permission.GetForShareInteract(inst, s.ID())
+		if err != nil {
+			return err
+		}
+		if code, ok := interact.Codes[m.Instance]; ok {
+			token = code
+		} else if code, ok := interact.Codes[m.Email]; ok {
+			token = code
+		}
+	} else {
+		if c.Client == nil || c.AccessToken == nil {
+			return ErrNoOAuthClient
+		}
+		token = c.AccessToken.AccessToken
 	}
 
 	var path string
@@ -1042,7 +1062,7 @@ func (s *Sharing) NotifyMemberRevocation(inst *instance.Instance, m *Member, c *
 		Domain: u.Host,
 		Path:   path,
 		Headers: request.Headers{
-			echo.HeaderAuthorization: "Bearer " + c.AccessToken.AccessToken,
+			echo.HeaderAuthorization: "Bearer " + token,
 		},
 		ParseError: ParseRequestError,
 	}
diff --git a/model/sharing/sharing.go b/model/sharing/sharing.go
@@ -314,6 +314,9 @@ func (s *Sharing) GetInteractCode(inst *instance.Instance, member *Member, membe
 	if err != nil {
 		return "", err
 	}
+	if interact.Codes == nil {
+		interact.Codes = make(map[string]string)
+	}
 	interact.Codes[key] = code
 	if err := couchdb.UpdateDoc(inst, interact); err != nil {
 		return "", err
@@ -462,6 +465,9 @@ func (s *Sharing) Revoke(inst *instance.Instance) error {
 			return err
 		}
 	}
+	if err := s.RevokeInteractPermissions(inst); err != nil {
+		return err
+	}
 	if rule := s.FirstBitwardenOrganizationRule(); rule != nil && len(rule.Values) > 0 {
 		if err := s.RemoveAllBitwardenMembers(inst, rule.Values[0]); err != nil {
 			return err
@@ -486,6 +492,43 @@ func (s *Sharing) RevokePreviewPermissions(inst *instance.Instance) error {
 	return couchdb.UpdateDoc(inst, perms)
 }
 
+// RevokeInteractPermissions ensure that the permissions for interact tokens
+// are no longer valid.
+func (s *Sharing) RevokeInteractPermissions(inst *instance.Instance) error {
+	perms, err := permission.GetForShareInteract(inst, s.SID)
+	if err != nil {
+		if couchdb.IsNotFoundError(err) {
+			return nil
+		}
+		return err
+	}
+	now := time.Now()
+	perms.ExpiresAt = &now
+	return couchdb.UpdateDoc(inst, perms)
+}
+
+func (s *Sharing) RemoveInteractPermissionsForAMember(inst *instance.Instance, m *Member, memberIndex int) error {
+	interact, err := permission.GetForShareInteract(inst, s.SID)
+	if err != nil {
+		if couchdb.IsNotFoundError(err) {
+			return nil
+		}
+		return err
+	}
+
+	indexKey := keyFromMemberIndex(memberIndex)
+	for key := range interact.Codes {
+		if key == "" {
+			continue
+		}
+		if key == m.Instance || key == m.Email || key == indexKey {
+			delete(interact.Codes, key)
+			return couchdb.UpdateDoc(inst, interact)
+		}
+	}
+	return nil
+}
+
 // RevokeRecipient revoke only one recipient on the sharer. After that, if the
 // sharing has still at least one active member, we keep it as is. Else, we
 // disable the sharing.
@@ -606,31 +649,35 @@ func (s *Sharing) RevokeByNotification(inst *instance.Instance) error {
 	if s.Owner {
 		return ErrInvalidSharing
 	}
-	if err := DeleteOAuthClient(inst, &s.Members[0], &s.Credentials[0]); err != nil {
-		return err
-	}
-	if err := s.RemoveTriggers(inst); err != nil {
-		return err
-	}
-	if err := s.ClearLastSequenceNumbers(inst, &s.Members[0]); err != nil {
-		return err
-	}
-	if err := RemoveSharedRefs(inst, s.SID); err != nil {
-		return err
-	}
-	if err := s.FixRevokedNotes(inst); err != nil {
-		inst.Logger().WithNamespace("sharing").
-			Warnf("RevokeByNotification failed to fix notes for revoked sharing %s: %s", s.ID(), err)
-	}
-	if rule := s.FirstFilesRule(); rule != nil && rule.Mime == "" {
-		if err := s.RemoveSharingDir(inst); err != nil {
+	if s.Drive {
+		s.cleanShortcutID(inst)
+	} else {
+		if err := DeleteOAuthClient(inst, &s.Members[0], &s.Credentials[0]); err != nil {
 			return err
 		}
-	}
-	if rule := s.FirstBitwardenOrganizationRule(); rule != nil && len(rule.Values) > 0 {
-		if err := s.RemoveBitwardenOrganization(inst, rule.Values[0]); err != nil {
+		if err := s.RemoveTriggers(inst); err != nil {
+			return err
+		}
+		if err := s.ClearLastSequenceNumbers(inst, &s.Members[0]); err != nil {
+			return err
+		}
+		if err := s.FixRevokedNotes(inst); err != nil {
+			inst.Logger().WithNamespace("sharing").
+				Warnf("RevokeByNotification failed to fix notes for revoked sharing %s: %s", s.ID(), err)
+		}
+		if rule := s.FirstFilesRule(); rule != nil && rule.Mime == "" {
+			if err := s.RemoveSharingDir(inst); err != nil {
+				return err
+			}
+		}
+		if err := RemoveSharedRefs(inst, s.SID); err != nil {
 			return err
 		}
+		if rule := s.FirstBitwardenOrganizationRule(); rule != nil && len(rule.Values) > 0 {
+			if err := s.RemoveBitwardenOrganization(inst, rule.Values[0]); err != nil {
+				return err
+			}
+		}
 	}
 
 	var err error
diff --git a/web/files/files.go b/web/files/files.go
@@ -1764,10 +1764,13 @@ var allowedChangesParams = map[string]bool{
 // deletions with the document ID as only information)
 func ChangesFeed(c echo.Context, inst *instance.Instance, sharedDir *vfs.DirDoc) error {
 	if sharedDir == nil {
-		//TODO: WARNING: check security here
 		if err := middlewares.AllowWholeType(c, permission.GET, consts.Files); err != nil {
 			return err
 		}
+	} else {
+		if err := middlewares.AllowVFS(c, permission.GET, sharedDir); err != nil {
+			return err
+		}
 	}
 
 	// Drop a clear error for parameters not supported by stack
diff --git a/web/sharings/drives.go b/web/sharings/drives.go
@@ -472,6 +472,9 @@ func proxy(fn func(c echo.Context, inst *instance.Instance, s *sharing.Sharing)
 		if !s.Drive {
 			return jsonapi.NotFound(errors.New("not a drive"))
 		}
+		if !s.Active {
+			return jsonapi.Forbidden(middlewares.ErrForbidden)
+		}
 
 		if s.Owner {
 			return fn(c, inst, s)
diff --git a/web/sharings/drives_test.go b/web/sharings/drives_test.go
@@ -1068,4 +1068,49 @@ func TestSharedDrives(t *testing.T) {
 				Expect().Status(401)
 		})
 	})
+
+	t.Run("RevokeRecipientAccess", func(t *testing.T) {
+		eA := httpexpect.Default(t, tsA.URL)
+		eB := httpexpect.Default(t, tsB.URL)
+
+		t.Run("RecipientCanInitiallyAccessSharedDrive", func(t *testing.T) {
+			eB.GET("/sharings/drives/"+sharingID+"/"+checklistID).
+				WithHeader("Authorization", "Bearer "+bettyAppToken).
+				Expect().Status(200).
+				JSON(httpexpect.ContentOpts{MediaType: "application/vnd.api+json"}).
+				Object().
+				Path("$.data.attributes.name").String().IsEqual("Checklist.txt")
+			obj := eB.GET("/sharings/drives").
+				WithHeader("Authorization", "Bearer "+bettyAppToken).
+				Expect().Status(200).
+				JSON(httpexpect.ContentOpts{MediaType: "application/vnd.api+json"}).
+				Object()
+			obj.Value("data").Array().Length().IsEqual(1)
+		})
+
+		t.Run("RemoveRecipientFromSharing", func(t *testing.T) {
+			eA.DELETE("/sharings/"+sharingID+"/recipients/1").
+				WithHeader("Authorization", "Bearer "+acmeAppToken).
+				Expect().Status(204)
+		})
+
+		t.Run("RevokedRecipientCannotAccessSharedDrive", func(t *testing.T) {
+			eB.GET("/sharings/drives/"+sharingID+"/"+checklistID).
+				WithHeader("Authorization", "Bearer "+bettyAppToken).
+				Expect().Status(403)
+			eB.GET("/sharings/drives/"+sharingID+"/metadata").
+				WithQuery("Path", "/Product team/Meetings/Checklist.txt").
+				WithHeader("Authorization", "Bearer "+bettyAppToken).
+				Expect().Status(403)
+			eB.GET("/sharings/drives/"+sharingID+"/_changes").
+				WithHeader("Authorization", "Bearer "+bettyAppToken).
+				Expect().Status(403)
+			obj := eB.GET("/sharings/drives").
+				WithHeader("Authorization", "Bearer "+bettyAppToken).
+				Expect().Status(200).
+				JSON(httpexpect.ContentOpts{MediaType: "application/vnd.api+json"}).
+				Object()
+			obj.Value("data").Array().Length().IsEqual(0)
+		})
+	})
 }
diff --git a/web/sharings/revoke.go b/web/sharings/revoke.go
@@ -4,6 +4,7 @@ import (
 	"errors"
 	"net/http"
 	"strconv"
+	"strings"
 
 	"github.com/cozy/cozy-stack/model/sharing"
 	"github.com/cozy/cozy-stack/pkg/jsonapi"
@@ -89,6 +90,17 @@ func RevocationRecipientNotif(c echo.Context) error {
 	if err != nil {
 		return wrapErrors(err)
 	}
+	if s.Drive {
+		token := c.Request().Header.Get(echo.HeaderAuthorization)
+		token = strings.TrimPrefix(token, "Bearer ")
+		if token == "" || token != s.Credentials[0].DriveToken {
+			return echo.NewHTTPError(http.StatusForbidden)
+		}
+	} else {
+		if err := hasSharingWritePermissions(c); err != nil {
+			return err
+		}
+	}
 	if err = s.RevokeByNotification(inst); err != nil {
 		return wrapErrors(err)
 	}
diff --git a/web/sharings/sharings.go b/web/sharings/sharings.go
@@ -941,7 +941,7 @@ func Routes(router *echo.Group) {
 	router.POST("/:sharing-id/recipients/self/readonly", DowngradeToReadOnly, checkSharingWritePermissions)  // On the recipient
 	router.DELETE("/:sharing-id/recipients/:index/readonly", RemoveReadOnly)                                 // On the sharer
 	router.DELETE("/:sharing-id/recipients/self/readonly", UpgradeToReadWrite, checkSharingWritePermissions) // On the recipient
-	router.DELETE("/:sharing-id", RevocationRecipientNotif, checkSharingWritePermissions)                    // On the recipient
+	router.DELETE("/:sharing-id", RevocationRecipientNotif)                                                  // On the recipient
 	router.DELETE("/:sharing-id/recipients/self", RevokeRecipientBySelf)                                     // On the recipient
 	router.DELETE("/:sharing-id/answer", RevocationOwnerNotif, checkSharingWritePermissions)                 // On the sharer
 	router.POST("/:sharing-id/public-key", ReceivePublicKey)

Original file line number	Diff line number	Diff line change
`@@ -50,10 +50,11 @@ func (s Sharing) SendInvitations(inst instance.Instance, perms *permission.Per`
`50`	`50`
`51`	`51`	`link := m.InvitationLink(inst, s, state, perms)`
`52`	`52`	`if m.Instance != "" && canSendShortcut {`
	`53`	`+ m.Status = MemberStatusPendingInvitation`
`53`	`54`	`if err := m.SendShortcut(inst, s, link); err == nil {`
`54`		`- m.Status = MemberStatusPendingInvitation`
`55`	`55`	`return nil`
`56`	`56`	`}`
	`57`	`+ m.Status = MemberStatusMailNotSent`
`57`	`58`	`}`
`58`	`59`	`if m.Email == "" {`
`59`	`60`	`if len(m.Groups) > 0 {`
Original file line number	Diff line number	Diff line change
`@@ -1764,10 +1764,13 @@ var allowedChangesParams = map[string]bool{`
`1764`	`1764`	`// deletions with the document ID as only information)`
`1765`	`1765`	`func ChangesFeed(c echo.Context, inst instance.Instance, sharedDir vfs.DirDoc) error {`
`1766`	`1766`	`if sharedDir == nil {`
`1767`		`- //TODO: WARNING: check security here`
`1768`	`1767`	`if err := middlewares.AllowWholeType(c, permission.GET, consts.Files); err != nil {`
`1769`	`1768`	`return err`
`1770`	`1769`	`}`
	`1770`	`+ } else {`
	`1771`	`+ if err := middlewares.AllowVFS(c, permission.GET, sharedDir); err != nil {`
	`1772`	`+ return err`
	`1773`	`+ }`
`1771`	`1774`	`}`
`1772`	`1775`
`1773`	`1776`	`// Drop a clear error for parameters not supported by stack`
Original file line number	Diff line number	Diff line change
`@@ -472,6 +472,9 @@ func proxy(fn func(c echo.Context, inst instance.Instance, s sharing.Sharing)`
`472`	`472`	`if !s.Drive {`
`473`	`473`	`return jsonapi.NotFound(errors.New("not a drive"))`
`474`	`474`	`}`
	`475`	`+ if !s.Active {`
	`476`	`+ return jsonapi.Forbidden(middlewares.ErrForbidden)`
	`477`	`+ }`
`475`	`478`
`476`	`479`	`if s.Owner {`
`477`	`480`	`return fn(c, inst, s)`