feat: Add storage wrappert to block download on secure view

juliusknorr · juliusknorr · commit 09e745716fc6 · 2025-05-16T11:02:18.000+02:00
Signed-off-by: Julius Knorr &lt;jus@bitgrid.net&gt;
diff --git a/lib/AppConfig.php b/lib/AppConfig.php
@@ -204,6 +204,13 @@ public function useSecureViewAdditionalMimes(): bool {
 		return $this->config->getAppValue(Application::APPNAME, self::USE_SECURE_VIEW_ADDITIONAL_MIMES, 'no') === 'yes';
 	}
 
+	public function getMimeTypes(): array {
+		return array_merge([
+			Capabilities::MIMETYPES,
+			Capabilities::MIMETYPES_MSOFFICE,
+		]);
+	}
+
 	public function getDomainList(): array {
 		$urls = array_merge(
 			[ $this->domainOnly($this->getCollaboraUrlPublic()) ],
diff --git a/lib/AppInfo/Application.php b/lib/AppInfo/Application.php
@@ -20,6 +20,7 @@
 use OCA\Richdocuments\Listener\FileCreatedFromTemplateListener;
 use OCA\Richdocuments\Listener\LoadAdditionalListener;
 use OCA\Richdocuments\Listener\LoadViewerListener;
+use OCA\Richdocuments\Listener\OverwritePublicSharePropertiesListener;
 use OCA\Richdocuments\Listener\ReferenceListener;
 use OCA\Richdocuments\Listener\RegisterTemplateFileCreatorListener;
 use OCA\Richdocuments\Listener\ShareLinkListener;
@@ -32,13 +33,15 @@
 use OCA\Richdocuments\Preview\OpenDocument;
 use OCA\Richdocuments\Preview\Pdf;
 use OCA\Richdocuments\Reference\OfficeTargetReferenceProvider;
+use OCA\Richdocuments\Storage\SecureViewWrapper;
 use OCA\Richdocuments\TaskProcessing\SlideDeckGenerationProvider;
 use OCA\Richdocuments\TaskProcessing\SlideDeckGenerationTaskType;
 use OCA\Richdocuments\TaskProcessing\TextToDocumentProvider;
 use OCA\Richdocuments\TaskProcessing\TextToDocumentTaskType;
 use OCA\Richdocuments\TaskProcessing\TextToSpreadsheetProvider;
 use OCA\Richdocuments\TaskProcessing\TextToSpreadsheetTaskType;
 use OCA\Richdocuments\Template\CollaboraTemplateProvider;
+use OCA\Talk\Events\OverwritePublicSharePropertiesEvent;
 use OCA\Viewer\Event\LoadViewer;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -47,6 +50,7 @@
 use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
 use OCP\Collaboration\Reference\RenderReferenceEvent;
 use OCP\Collaboration\Resources\LoadAdditionalScriptsEvent;
+use OCP\Files\Storage\IStorage;
 use OCP\Files\Template\BeforeGetTemplatesEvent;
 use OCP\Files\Template\FileCreatedFromTemplateEvent;
 use OCP\Files\Template\RegisterTemplateCreatorEvent;
@@ -62,6 +66,8 @@ public function __construct(array $urlParams = []) {
 	}
 
 	public function register(IRegistrationContext $context): void {
+		\OCP\Util::connectHook('OC_Filesystem', 'preSetup', $this, 'addStorageWrapper');
+
 		$context->registerTemplateProvider(CollaboraTemplateProvider::class);
 		$context->registerCapability(Capabilities::class);
 		$context->registerMiddleWare(WOPIMiddleware::class);
@@ -76,6 +82,7 @@ public function register(IRegistrationContext $context): void {
 		$context->registerEventListener(RenderReferenceEvent::class, ReferenceListener::class);
 		$context->registerEventListener(BeforeTemplateRenderedEvent::class, BeforeTemplateRenderedListener::class);
 		$context->registerEventListener(BeforeGetTemplatesEvent::class, BeforeGetTemplatesListener::class);
+		$context->registerEventListener(OverwritePublicSharePropertiesEvent::class, OverwritePublicSharePropertiesListener::class);
 		$context->registerReferenceProvider(OfficeTargetReferenceProvider::class);
 		$context->registerSensitiveMethods(WopiMapper::class, [
 			'getPathForToken',
@@ -101,4 +108,30 @@ public function register(IRegistrationContext $context): void {
 
 	public function boot(IBootContext $context): void {
 	}
+
+	/**
+	 * @internal
+	 */
+	public function addStorageWrapper(): void {
+		// FIXME: We can skip this if secure view is not enabled at all
+		// Needs to be added as the first layer
+		\OC\Files\Filesystem::addStorageWrapper('richdocuments', [$this, 'addStorageWrapperCallback'], -10);
+	}
+
+	/**
+	 * @param $mountPoint
+	 * @param IStorage $storage
+	 * @return SecureViewWrapper|IStorage
+	 *@internal
+	 */
+	public function addStorageWrapperCallback($mountPoint, IStorage $storage) {
+		if (!\OC::$CLI && $mountPoint !== '/') {
+			return new SecureViewWrapper([
+				'storage' => $storage,
+				'mountPoint' => $mountPoint,
+			]);
+		}
+
+		return $storage;
+	}
 }
diff --git a/lib/Listener/OverwritePublicSharePropertiesListener.php b/lib/Listener/OverwritePublicSharePropertiesListener.php
@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\Richdocuments\Listener;
+
+use OCA\Richdocuments\PermissionManager;
+use OCA\Talk\Events\OverwritePublicSharePropertiesEvent;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\Files\NotFoundException;
+
+/** @template-implements IEventListener<OverwritePublicSharePropertiesEvent|Event> */
+class OverwritePublicSharePropertiesListener implements IEventListener {
+	public function __construct(
+		private PermissionManager $permissionManager,
+		private ?string $userId,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!$event instanceof OverwritePublicSharePropertiesEvent) {
+			return;
+		}
+
+		$share = $event->getShare();
+		try {
+			$node = $share->getNode();
+		} catch (NotFoundException) {
+			return;
+		}
+
+		if ($this->permissionManager->shouldWatermark($node, $this->userId, $share)) {
+			$share->setHideDownload(true);
+		}
+	}
+}
diff --git a/lib/Middleware/WOPIMiddleware.php b/lib/Middleware/WOPIMiddleware.php
@@ -33,6 +33,7 @@ public function __construct(
 		private IRequest $request,
 		private WopiMapper $wopiMapper,
 		private LoggerInterface $logger,
+		private bool $isWOPIRequest = false,
 	) {
 	}
 
@@ -78,6 +79,8 @@ public function beforeController($controller, $methodName) {
 			$this->logger->error('Failed to validate WOPI access', [ 'exception' => $e ]);
 			throw new NotPermittedException();
 		}
+
+		$this->isWOPIRequest = true;
 	}
 
 	public function afterException($controller, $methodName, \Exception $exception): Response {
@@ -110,4 +113,8 @@ public function isWOPIAllowed(): bool {
 		$this->logger->warning('WOPI request denied from ' . $userIp . ' as it does not match the configured ranges: ' . implode(', ', $allowedRanges));
 		return false;
 	}
+
+	public function isWOPIRequest(): bool {
+		return $this->isWOPIRequest;
+	}
 }
diff --git a/lib/PermissionManager.php b/lib/PermissionManager.php
@@ -117,6 +117,10 @@ public function shouldWatermark(Node $node, ?string $userId = null, ?IShare $sha
 			return false;
 		}
 
+		if (!in_array($node->getMimetype(), $this->appConfig->getMimeTypes(), true)) {
+			return false;
+		}
+
 		$fileId = $node->getId();
 
 		$isUpdatable = $node->isUpdateable() && (!$share || $share->getPermissions() & Constants::PERMISSION_UPDATE);
@@ -163,7 +167,7 @@ public function shouldWatermark(Node $node, ?string $userId = null, ?IShare $sha
 		}
 
 		if ($this->config->getAppValue(AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_shareTalkPublic', 'no') === 'yes') {
-			if ($userId === null && $share->getShareType() === IShare::TYPE_ROOM) {
+			if ($userId === null && $share?->getShareType() === IShare::TYPE_ROOM) {
 				return true;
 			}
 		}
diff --git a/lib/Storage/SecureViewWrapper.php b/lib/Storage/SecureViewWrapper.php
@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Richdocuments\Storage;
+
+use OC\Files\Storage\Wrapper\Wrapper;
+use OCA\Richdocuments\Middleware\WOPIMiddleware;
+use OCA\Richdocuments\PermissionManager;
+use OCP\Files\ForbiddenException;
+use OCP\Files\IRootFolder;
+use OCP\Files\Storage\ISharedStorage;
+use OCP\IUserSession;
+use OCP\Server;
+
+class SecureViewWrapper extends Wrapper {
+	private PermissionManager $permissionManager;
+	private WOPIMiddleware $wopiMiddleware;
+	private IRootFolder $rootFolder;
+	private IUserSession $userSession;
+
+	private string $mountPoint;
+
+	public function __construct(array $parameters) {
+		parent::__construct($parameters);
+
+		$this->permissionManager = Server::get(PermissionManager::class);
+		$this->wopiMiddleware = Server::get(WOPIMiddleware::class);
+		$this->rootFolder = Server::get(IRootFolder::class);
+		$this->userSession = Server::get(IUserSession::class);
+
+		$this->mountPoint = $parameters['mountPoint'];
+	}
+
+	public function fopen($path, $mode) {
+		$this->checkFileAccess($path);
+
+		return $this->storage->fopen($path, $mode);
+	}
+
+	public function checkFileAccess($path) {
+		$isWopiRequest = $this->wopiMiddleware->isWOPIRequest();
+
+		$isSharedStorage = $this->instanceOfStorage(ISharedStorage::class);
+		$node = $this->rootFolder->get($this->mountPoint)->get($path);
+		$share = $isSharedStorage && method_exists($this, 'getShare') ? $this->getShare() : null;
+		$userId = $this->userSession->getUser()?->getUID();
+
+		if ($this->permissionManager->shouldWatermark($node, $userId, $share) && !$isWopiRequest) {
+			throw new ForbiddenException('Download blocked due the secure view policy', false);
+		}
+	}
+}
diff --git a/tests/lib/PermissionManagerTest.php b/tests/lib/PermissionManagerTest.php
@@ -6,6 +6,7 @@
 namespace Tests\Richdocuments;
 
 use OCA\Richdocuments\AppConfig;
+use OCA\Richdocuments\Capabilities;
 use OCA\Richdocuments\PermissionManager;
 use OCP\Files\Node;
 use OCP\IConfig;
@@ -136,24 +137,25 @@ public static function dataWatermarkTagIds(): array {
 
 	/** @dataProvider dataWatermarkTagIds */
 	public function testShouldWatermarkOptionLinkTags(array $objectTagIds, array $watermarkTagIds): void {
-		$node = $this->createMock(Node::class);
-		$share = $this->createMock(IShare::class);
+		$node = $this->createNodeMock();
+		$share = $this->createShareMock(IShare::TYPE_LINK);
 		$userId = 'testUserId';
 
+		$this->appConfig->expects($this->any())
+			->method('getMimeTypes')
+			->willReturn(Capabilities::MIMETYPES);
+
 		$this->config
-			->expects($this->exactly(5))
 			->method('getAppValue')
 			->willReturnMap([
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_enabled', 'no', 'yes'],
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkAll', 'no', 'no'],
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkRead', 'no', 'no'],
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkSecure', 'no', 'no'],
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkTags', 'no', 'yes'],
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_shareTalkPublic', 'no', 'no'],
 			]);
 
-		$node->expects($this->once())->method('getId')->willReturn('testFileId');
-		$node->expects($this->once())->method('isUpdateable')->willReturn(false);
-
 		$share->expects($this->once())->method('getHideDownload')->willReturn(true);
 		$share->expects($this->once())->method('getAttributes')->willReturn(null);
 		$share->expects($this->once())->method('getShareType')->willReturn(IShare::TYPE_LINK);
@@ -167,12 +169,14 @@ public function testShouldWatermarkOptionLinkTags(array $objectTagIds, array $wa
 
 	/** @dataProvider dataWatermarkTagIds */
 	public function testShouldWatermarkOptionAllTags(array $objectTagIds, array $watermarkTagIds): void {
-		$node = $this->createMock(Node::class);
-		$share = $this->createMock(IShare::class);
+		$node = $this->createNodeMock();
 		$userId = 'testUserId';
 
+		$this->appConfig->expects($this->any())
+			->method('getMimeTypes')
+			->willReturn(Capabilities::MIMETYPES);
+
 		$this->config
-			->expects($this->exactly(6))
 			->method('getAppValue')
 			->willReturnMap([
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_enabled', 'no', 'yes'],
@@ -183,13 +187,55 @@ public function testShouldWatermarkOptionAllTags(array $objectTagIds, array $wat
 				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_allTags', 'no', 'yes'],
 			]);
 
-		$node->expects($this->once())->method('getId')->willReturn('testFileId');
-		$node->expects($this->once())->method('isUpdateable')->willReturn(false);
 		$this->systemTagMapper->expects($this->once())->method('getTagIdsForObjects')->willReturn(['testFileId' => $objectTagIds]);
 		$this->appConfig->expects($this->once())->method('getAppValueArray')->willReturn($watermarkTagIds);
 
 		$result = $this->permissionManager->shouldWatermark($node, $userId, null);
 
 		$this->assertTrue($result);
 	}
+
+	public function testShouldWatermarkOptionTalkPublic(): void {
+		$node = $this->createNodeMock();
+		$share = $this->createShareMock(IShare::TYPE_ROOM);
+		$userId = null;
+
+		$this->appConfig->expects($this->any())
+			->method('getMimeTypes')
+			->willReturn(Capabilities::MIMETYPES);
+
+		$this->config
+			->method('getAppValue')
+			->willReturnMap([
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_enabled', 'no', 'yes'],
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkAll', 'no', 'no'],
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkRead', 'no', 'no'],
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkSecure', 'no', 'no'],
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_linkTags', 'no', 'no'],
+				[AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_shareTalkPublic', 'no', 'yes'],
+			]);
+		$result = $this->permissionManager->shouldWatermark($node, $userId, $share);
+
+		$this->assertTrue($result);
+	}
+
+	private function createNodeMock(): Node {
+		$node = $this->createMock(Node::class);
+		$node->expects($this->any())->method('getMimetype')->willReturn('application/vnd.oasis.opendocument.spreadsheet');
+		$node->expects($this->any())->method('getId')->willReturn('testFileId');
+		$node->expects($this->any())->method('isUpdateable')->willReturn(false);
+		return $node;
+	}
+
+	private function createShareMock(?int $shareType): ?IShare {
+		if ($shareType === null) {
+			return null;
+		}
+
+		$share = $this->createMock(IShare::class);
+		$share->expects($this->any())->method('getHideDownload')->willReturn(true);
+		$share->expects($this->any())->method('getAttributes')->willReturn(null);
+		$share->expects($this->any())->method('getShareType')->willReturn($shareType);
+		return $share;
+	}
 }
diff --git a/tests/psalm-baseline.xml b/tests/psalm-baseline.xml
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<files psalm-version="5.26.1@d747f6500b38ac4f7dfc5edbcae6e4b637d7add0">
+<files psalm-version="6.5.1@3f17a6b24a2dbe543e21408c2b19108cf6a355ef">
   <file src="lib/AppConfig.php">
     <InvalidArgument>
       <code><![CDATA[[]]]></code>
@@ -8,6 +8,11 @@
       <code><![CDATA[array_key_exists($key, self::APP_SETTING_TYPES) && self::APP_SETTING_TYPES[$key] === 'array']]></code>
     </RedundantCondition>
   </file>
+  <file src="lib/AppInfo/Application.php">
+    <MissingDependency>
+      <code><![CDATA[SecureViewWrapper|IStorage]]></code>
+    </MissingDependency>
+  </file>
   <file src="lib/Command/ActivateConfig.php">
     <UndefinedClass>
       <code><![CDATA[Command]]></code>
diff --git a/tests/stub.phpstub b/tests/stub.phpstub
@@ -130,3 +130,20 @@ class OC_Util {
 	public static function setupFS(?string $user);
 	public static function tearDownFS();
 }
+
+namespace OCA\Talk\Events {
+	use OCP\EventDispatcher\Event;
+	use OCP\Share\IShare;
+
+	class OverwritePublicSharePropertiesEvent extends Event {
+		public function __construct(
+			protected IShare $share,
+		) {
+			parent::__construct();
+		}
+
+		public function getShare(): IShare {
+			return $this->share;
+		}
+	}
+}

Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@ public function __construct(`
`33`	`33`	`private IRequest $request,`
`34`	`34`	`private WopiMapper $wopiMapper,`
`35`	`35`	`private LoggerInterface $logger,`
	`36`	`+ private bool $isWOPIRequest = false,`
`36`	`37`	`) {`
`37`	`38`	`}`
`38`	`39`
`@@ -78,6 +79,8 @@ public function beforeController($controller, $methodName) {`
`78`	`79`	`$this->logger->error('Failed to validate WOPI access', [ 'exception' => $e ]);`
`79`	`80`	`throw new NotPermittedException();`
`80`	`81`	`}`
	`82`	`+`
	`83`	`+ $this->isWOPIRequest = true;`
`81`	`84`	`}`
`82`	`85`
`83`	`86`	`public function afterException($controller, $methodName, \Exception $exception): Response {`
`@@ -110,4 +113,8 @@ public function isWOPIAllowed(): bool {`
`110`	`113`	`$this->logger->warning('WOPI request denied from ' . $userIp . ' as it does not match the configured ranges: ' . implode(', ', $allowedRanges));`
`111`	`114`	`return false;`
`112`	`115`	`}`
	`116`	`+`
	`117`	`+ public function isWOPIRequest(): bool {`
	`118`	`+ return $this->isWOPIRequest;`
	`119`	`+ }`
`113`	`120`	`}`
Original file line number	Diff line number	Diff line change
`@@ -117,6 +117,10 @@ public function shouldWatermark(Node $node, ?string $userId = null, ?IShare $sha`
`117`	`117`	`return false;`
`118`	`118`	`}`
`119`	`119`
	`120`	`+ if (!in_array($node->getMimetype(), $this->appConfig->getMimeTypes(), true)) {`
	`121`	`+ return false;`
	`122`	`+ }`
	`123`	`+`
`120`	`124`	`$fileId = $node->getId();`
`121`	`125`
`122`	`126`	`$isUpdatable = $node->isUpdateable() && (!$share \|\| $share->getPermissions() & Constants::PERMISSION_UPDATE);`
`@@ -163,7 +167,7 @@ public function shouldWatermark(Node $node, ?string $userId = null, ?IShare $sha`
`163`	`167`	`}`
`164`	`168`
`165`	`169`	`if ($this->config->getAppValue(AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_shareTalkPublic', 'no') === 'yes') {`
`166`		`- if ($userId === null && $share->getShareType() === IShare::TYPE_ROOM) {`
	`170`	`+ if ($userId === null && $share?->getShareType() === IShare::TYPE_ROOM) {`
`167`	`171`	`return true;`
`168`	`172`	`}`
`169`	`173`	`}`