feat: Add storage wrappert to block download on secure view

Signed-off-by: Julius Knorr <jus@bitgrid.net>

Author: juliusknorr

appinfo/info.xml

@@ -15,6 +15,7 @@ You can also edit your documents off-line with the Collabora Office app from the
 	<licence>agpl</licence>
 	<author>Collabora Productivity based on work of Frank Karlitschek, Victor Dubiniuk</author>
 	<types>
+		<filesystem />
 		<prevent_group_restriction/>
 	</types>
 	<documentation>

lib/AppConfig.php

@@ -202,6 +202,13 @@ public function useSecureViewAdditionalMimes(): bool {
 		return $this->config->getAppValue(Application::APPNAME, self::USE_SECURE_VIEW_ADDITIONAL_MIMES, 'no') === 'yes';
 	}
 
+	public function getMimeTypes(): array {
+		return array_merge(
+			Capabilities::MIMETYPES,
+			Capabilities::MIMETYPES_MSOFFICE,
+		);
+	}
+
 	public function getDomainList(): array {
 		$urls = array_merge(
 			[ $this->domainOnly($this->getCollaboraUrlPublic()) ],

lib/AppInfo/Application.php

@@ -9,6 +9,7 @@
 namespace OCA\Richdocuments\AppInfo;
 
 use OCA\Files_Sharing\Event\ShareLinkAccessedEvent;
+use OCA\Richdocuments\AppConfig;
 use OCA\Richdocuments\Capabilities;
 use OCA\Richdocuments\Conversion\ConversionProvider;
 use OCA\Richdocuments\Db\WopiMapper;
@@ -20,6 +21,7 @@
 use OCA\Richdocuments\Listener\FileCreatedFromTemplateListener;
 use OCA\Richdocuments\Listener\LoadAdditionalListener;
 use OCA\Richdocuments\Listener\LoadViewerListener;
+use OCA\Richdocuments\Listener\OverwritePublicSharePropertiesListener;
 use OCA\Richdocuments\Listener\ReferenceListener;
 use OCA\Richdocuments\Listener\RegisterTemplateFileCreatorListener;
 use OCA\Richdocuments\Listener\ShareLinkListener;
@@ -32,7 +34,9 @@
 use OCA\Richdocuments\Preview\OpenDocument;
 use OCA\Richdocuments\Preview\Pdf;
 use OCA\Richdocuments\Reference\OfficeTargetReferenceProvider;
+use OCA\Richdocuments\Storage\SecureViewWrapper;
 use OCA\Richdocuments\Template\CollaboraTemplateProvider;
+use OCA\Talk\Events\OverwritePublicSharePropertiesEvent;
 use OCA\Viewer\Event\LoadViewer;
 use OCP\AppFramework\App;
 use OCP\AppFramework\Bootstrap\IBootContext;
@@ -41,12 +45,15 @@
 use OCP\AppFramework\Http\Events\BeforeTemplateRenderedEvent;
 use OCP\Collaboration\Reference\RenderReferenceEvent;
 use OCP\Collaboration\Resources\LoadAdditionalScriptsEvent;
+use OCP\Files\Storage\IStorage;
 use OCP\Files\Template\BeforeGetTemplatesEvent;
 use OCP\Files\Template\FileCreatedFromTemplateEvent;
 use OCP\Files\Template\RegisterTemplateCreatorEvent;
+use OCP\IAppConfig;
 use OCP\Preview\BeforePreviewFetchedEvent;
 use OCP\Security\CSP\AddContentSecurityPolicyEvent;
 use OCP\Security\FeaturePolicy\AddFeaturePolicyEvent;
+use OCP\Server;
 
 class Application extends App implements IBootstrap {
 	public const APPNAME = 'richdocuments';
@@ -56,6 +63,8 @@ public function __construct(array $urlParams = []) {
 	}
 
 	public function register(IRegistrationContext $context): void {
+		\OCP\Util::connectHook('OC_Filesystem', 'preSetup', $this, 'addStorageWrapper');
+
 		$context->registerTemplateProvider(CollaboraTemplateProvider::class);
 		$context->registerCapability(Capabilities::class);
 		$context->registerMiddleWare(WOPIMiddleware::class);
@@ -70,6 +79,7 @@ public function register(IRegistrationContext $context): void {
 		$context->registerEventListener(RenderReferenceEvent::class, ReferenceListener::class);
 		$context->registerEventListener(BeforeTemplateRenderedEvent::class, BeforeTemplateRenderedListener::class);
 		$context->registerEventListener(BeforeGetTemplatesEvent::class, BeforeGetTemplatesListener::class);
+		$context->registerEventListener(OverwritePublicSharePropertiesEvent::class, OverwritePublicSharePropertiesListener::class);
 		$context->registerReferenceProvider(OfficeTargetReferenceProvider::class);
 		$context->registerSensitiveMethods(WopiMapper::class, [
 			'getPathForToken',
@@ -88,4 +98,32 @@ public function register(IRegistrationContext $context): void {
 
 	public function boot(IBootContext $context): void {
 	}
+
+	/**
+	 * @internal
+	 */
+	public function addStorageWrapper(): void {
+		if (Server::get(IAppConfig::class)->getValueString(AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_enabled', 'no') === 'no') {
+			return;
+		}
+
+		\OC\Files\Filesystem::addStorageWrapper('richdocuments', [$this, 'addStorageWrapperCallback'], -10);
+	}
+
+	/**
+	 * @param $mountPoint
+	 * @param IStorage $storage
+	 * @return SecureViewWrapper|IStorage
+	 *@internal
+	 */
+	public function addStorageWrapperCallback($mountPoint, IStorage $storage) {
+		if (!\OC::$CLI && $mountPoint !== '/') {
+			return new SecureViewWrapper([
+				'storage' => $storage,
+				'mountPoint' => $mountPoint,
+			]);
+		}
+
+		return $storage;
+	}
 }

lib/Controller/WopiController.php

@@ -132,6 +132,9 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 		$isSmartPickerEnabled = (bool)$wopi->getCanwrite() && !$isPublic && !$wopi->getDirect();
 		$isTaskProcessingEnabled = $isSmartPickerEnabled && $this->taskProcessingManager->isTaskProcessingEnabled();
 
+		$share = $this->getShareForWopiToken($wopi, $file);
+		$shouldUseSecureView = $this->permissionManager->shouldWatermark($file, $wopi->getEditorUid(), $share);
+
 		// If the file is locked manually by a user we want to open it read only for all others
 		$canWriteThroughLock = true;
 		try {
@@ -153,7 +156,7 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			'UserExtraInfo' => [],
 			'UserPrivateInfo' => [],
 			'UserCanWrite' => $canWriteThroughLock && (bool)$wopi->getCanwrite(),
-			'UserCanNotWriteRelative' => $isPublic || $this->encryptionManager->isEnabled() || $wopi->getHideDownload() || $wopi->isRemoteToken(),
+			'UserCanNotWriteRelative' => $isPublic || $this->encryptionManager->isEnabled() || $wopi->getHideDownload() || $wopi->isRemoteToken() || $shouldUseSecureView,
 			'PostMessageOrigin' => $wopi->getServerHost(),
 			'LastModifiedTime' => Helper::toISO8601($file->getMTime()),
 			'SupportsRename' => !$isVersion && !$wopi->isRemoteToken(),
@@ -163,11 +166,11 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			'EnableShare' => $file->isShareable() && !$isVersion && !$isPublic,
 			'HideUserList' => '',
 			'EnableOwnerTermination' => $wopi->getCanwrite() && !$isPublic,
-			'DisablePrint' => $wopi->getHideDownload(),
-			'DisableExport' => $wopi->getHideDownload(),
-			'DisableCopy' => $wopi->getHideDownload(),
-			'HideExportOption' => $wopi->getHideDownload(),
-			'HidePrintOption' => $wopi->getHideDownload(),
+			'DisablePrint' => $wopi->getHideDownload() || $shouldUseSecureView,
+			'DisableExport' => $wopi->getHideDownload() || $shouldUseSecureView,
+			'DisableCopy' => $wopi->getHideDownload() || $shouldUseSecureView,
+			'HideExportOption' => $wopi->getHideDownload() || $shouldUseSecureView,
+			'HidePrintOption' => $wopi->getHideDownload() || $shouldUseSecureView,
 			'DownloadAsPostMessage' => $wopi->getDirect(),
 			'SupportsLocks' => $this->lockManager->isLockProviderAvailable(),
 			'IsUserLocked' => $this->permissionManager->userIsFeatureLocked($wopi->getEditorUid()),
@@ -220,8 +223,7 @@ public function checkFileInfo(string $fileId, string $access_token): JSONRespons
 			$response['TemplateSource'] = $this->getWopiUrlForTemplate($wopi);
 		}
 
-		$share = $this->getShareForWopiToken($wopi, $file);
-		if ($this->permissionManager->shouldWatermark($file, $wopi->getEditorUid(), $share)) {
+		if ($shouldUseSecureView) {
 			$email = $user !== null && !$isPublic ? $user->getEMailAddress() : '';
 			$currentDateTime = new \DateTime(
 				'now',

lib/Listener/OverwritePublicSharePropertiesListener.php

@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\Richdocuments\Listener;
+
+use OCA\Richdocuments\PermissionManager;
+use OCA\Talk\Events\OverwritePublicSharePropertiesEvent;
+use OCP\EventDispatcher\Event;
+use OCP\EventDispatcher\IEventListener;
+use OCP\Files\NotFoundException;
+
+/** @template-implements IEventListener<OverwritePublicSharePropertiesEvent|Event> */
+class OverwritePublicSharePropertiesListener implements IEventListener {
+	public function __construct(
+		private PermissionManager $permissionManager,
+		private ?string $userId,
+	) {
+	}
+
+	public function handle(Event $event): void {
+		if (!$event instanceof OverwritePublicSharePropertiesEvent) {
+			return;
+		}
+
+		$share = $event->getShare();
+		try {
+			$node = $share->getNode();
+		} catch (NotFoundException) {
+			return;
+		}
+
+		if ($this->permissionManager->shouldWatermark($node, $this->userId, $share)) {
+			$share->setHideDownload(true);
+		}
+	}
+}

lib/Middleware/WOPIMiddleware.php

@@ -33,6 +33,7 @@ public function __construct(
 		private IRequest $request,
 		private WopiMapper $wopiMapper,
 		private LoggerInterface $logger,
+		private bool $isWOPIRequest = false,
 	) {
 	}
 
@@ -78,6 +79,8 @@ public function beforeController($controller, $methodName) {
 			$this->logger->error('Failed to validate WOPI access', [ 'exception' => $e ]);
 			throw new NotPermittedException();
 		}
+
+		$this->isWOPIRequest = true;
 	}
 
 	public function afterException($controller, $methodName, \Exception $exception): Response {
@@ -110,4 +113,8 @@ public function isWOPIAllowed(): bool {
 		$this->logger->warning('WOPI request denied from ' . $userIp . ' as it does not match the configured ranges: ' . implode(', ', $allowedRanges));
 		return false;
 	}
+
+	public function isWOPIRequest(): bool {
+		return $this->isWOPIRequest;
+	}
 }

lib/PermissionManager.php

@@ -117,6 +117,10 @@ public function shouldWatermark(Node $node, ?string $userId = null, ?IShare $sha
 			return false;
 		}
 
+		if (!in_array($node->getMimetype(), $this->appConfig->getMimeTypes(), true)) {
+			return false;
+		}
+
 		$fileId = $node->getId();
 
 		$isUpdatable = $node->isUpdateable() && (!$share || $share->getPermissions() & Constants::PERMISSION_UPDATE);
@@ -163,7 +167,7 @@ public function shouldWatermark(Node $node, ?string $userId = null, ?IShare $sha
 		}
 
 		if ($this->config->getAppValue(AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_shareTalkPublic', 'no') === 'yes') {
-			if ($userId === null && $share->getShareType() === IShare::TYPE_ROOM) {
+			if ($userId === null && $share?->getShareType() === IShare::TYPE_ROOM) {
 				return true;
 			}
 		}

lib/Storage/SecureViewWrapper.php

@@ -0,0 +1,109 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+namespace OCA\Richdocuments\Storage;
+
+use OC\Files\Storage\Wrapper\Wrapper;
+use OCA\Richdocuments\Middleware\WOPIMiddleware;
+use OCA\Richdocuments\PermissionManager;
+use OCP\Files\Folder;
+use OCP\Files\ForbiddenException;
+use OCP\Files\IRootFolder;
+use OCP\Files\Storage\ISharedStorage;
+use OCP\Files\Storage\IStorage;
+use OCP\IUserSession;
+use OCP\Server;
+
+class SecureViewWrapper extends Wrapper {
+	private PermissionManager $permissionManager;
+	private WOPIMiddleware $wopiMiddleware;
+	private IRootFolder $rootFolder;
+	private IUserSession $userSession;
+
+	private string $mountPoint;
+
+	public function __construct(array $parameters) {
+		parent::__construct($parameters);
+
+		$this->permissionManager = Server::get(PermissionManager::class);
+		$this->wopiMiddleware = Server::get(WOPIMiddleware::class);
+		$this->rootFolder = Server::get(IRootFolder::class);
+		$this->userSession = Server::get(IUserSession::class);
+
+		$this->mountPoint = $parameters['mountPoint'];
+	}
+
+	public function fopen($path, $mode) {
+		$this->checkFileAccess($path);
+
+		return $this->storage->fopen($path, $mode);
+	}
+
+	public function file_get_contents(string $path): false|string {
+		$this->checkFileAccess($path);
+
+		return $this->storage->file_get_contents($path);
+	}
+
+	public function copy(string $source, string $target): bool {
+		$this->checkSourceAndTarget($source, $target);
+
+		return parent::copy($source, $target);
+	}
+
+	public function copyFromStorage(IStorage $sourceStorage, string $sourceInternalPath, string $targetInternalPath): bool {
+		$this->checkSourceAndTarget($sourceInternalPath, $targetInternalPath, $sourceStorage);
+
+		return parent::copyFromStorage($sourceStorage, $sourceInternalPath, $targetInternalPath);
+	}
+
+	public function moveFromStorage(IStorage $sourceStorage, string $sourceInternalPath, string $targetInternalPath): bool {
+		$this->checkSourceAndTarget($sourceInternalPath, $targetInternalPath, $sourceStorage);
+
+		return parent::moveFromStorage($sourceStorage, $sourceInternalPath, $targetInternalPath);
+	}
+
+	public function rename(string $source, string $target): bool {
+		$this->checkSourceAndTarget($source, $target);
+
+		return parent::rename($source, $target);
+	}
+
+	/**
+	 * @throws ForbiddenException
+	 */
+	private function checkFileAccess(string $path): void {
+		if ($this->shouldSecure($path) && !$this->wopiMiddleware->isWOPIRequest()) {
+			throw new ForbiddenException('Download blocked due the secure view policy', false);
+		}
+	}
+
+	private function shouldSecure(string $path, ?IStorage $sourceStorage = null): bool {
+		if ($sourceStorage !== $this && $sourceStorage !== null) {
+			$fp = $sourceStorage->fopen($path, 'r');
+			fclose($fp);
+		}
+
+		$storage = $sourceStorage ?? $this;
+
+		$isSharedStorage = $storage->instanceOfStorage(ISharedStorage::class);
+		$mountNode = $this->rootFolder->get($storage->getMountPoint());
+		$node = $mountNode instanceof Folder ? $mountNode->get($path) : $mountNode;
+		$share = $isSharedStorage ? $node->getStorage()->getShare() : null;
+		$userId = $this->userSession->getUser()?->getUID();
+
+		return $this->permissionManager->shouldWatermark($node, $userId, $share);
+	}
+
+
+	private function checkSourceAndTarget(string $source, string $target, ?IStorage $sourceStorage = null): void {
+		if ($this->shouldSecure($source, $sourceStorage) && !$this->shouldSecure($target)) {
+			throw new ForbiddenException('Download blocked due the secure view policy. The source requires secure view that the target cannot offer.', false);
+		}
+	}
+}