@@ -82,6 +82,25 @@ func RevokeGroup(c echo.Context) error {
8282 return c .NoContent (http .StatusNoContent )
8383}
8484
85+ // getBearerToken extracts the Bearer token from the Authorization header
86+ func getBearerToken (c echo.Context ) string {
87+ token := c .Request ().Header .Get (echo .HeaderAuthorization )
88+ return strings .TrimPrefix (token , "Bearer " )
89+ }
90+
91+ // checkDriveSharingWritePermissions checks if the request has valid permissions for a Drive sharing.
92+ // For non-Drive sharings, it falls back to OAuth-based permission checking.
93+ func checkDriveSharingWritePermissions (c echo.Context , s * sharing.Sharing ) error {
94+ if s .Drive {
95+ token := getBearerToken (c )
96+ if token == "" || len (s .Credentials ) == 0 || token != s .Credentials [0 ].DriveToken {
97+ return echo .NewHTTPError (http .StatusForbidden )
98+ }
99+ return nil
100+ }
101+ return hasSharingWritePermissions (c )
102+ }
103+
85104// RevocationRecipientNotif is used to inform a recipient that the sharing is revoked
86105func RevocationRecipientNotif (c echo.Context ) error {
87106 inst := middlewares .GetInstance (c )
@@ -90,16 +109,8 @@ func RevocationRecipientNotif(c echo.Context) error {
90109 if err != nil {
91110 return wrapErrors (err )
92111 }
93- if s .Drive {
94- token := c .Request ().Header .Get (echo .HeaderAuthorization )
95- token = strings .TrimPrefix (token , "Bearer " )
96- if token == "" || len (s .Credentials ) == 0 || token != s .Credentials [0 ].DriveToken {
97- return echo .NewHTTPError (http .StatusForbidden )
98- }
99- } else {
100- if err := hasSharingWritePermissions (c ); err != nil {
101- return err
102- }
112+ if err := checkDriveSharingWritePermissions (c , s ); err != nil {
113+ return err
103114 }
104115 if err = s .RevokeByNotification (inst ); err != nil {
105116 return wrapErrors (err )
@@ -116,10 +127,26 @@ func RevocationOwnerNotif(c echo.Context) error {
116127 if err != nil {
117128 return wrapErrors (err )
118129 }
119- member , err := requestMember (c , s )
130+
131+ // For Drive sharings, FindMemberByInteractCode validates the token and finds the member.
132+ // For non-Drive sharings, we check permissions first, then get the member via OAuth.
133+ var member * sharing.Member
134+ if s .Drive {
135+ token := getBearerToken (c )
136+ if token == "" {
137+ return echo .NewHTTPError (http .StatusForbidden )
138+ }
139+ member , err = s .FindMemberByInteractCode (inst , token )
140+ } else {
141+ if err := hasSharingWritePermissions (c ); err != nil {
142+ return err
143+ }
144+ member , err = requestMember (c , s )
145+ }
120146 if err != nil {
121147 return wrapErrors (err )
122148 }
149+
123150 if err = s .RevokeRecipientByNotification (inst , member ); err != nil {
124151 return wrapErrors (err )
125152 }
0 commit comments