Merge pull request #59008 from nextcloud/federated-sharing-check

fix: provide `canDownload` helper for shares and use it where appropriate

Author: susnux

apps/federatedfilesharing/lib/Controller/MountPublicLinkController.php

@@ -18,7 +18,6 @@
 use OCP\AppFramework\Http\Attribute\OpenAPI;
 use OCP\AppFramework\Http\Attribute\PublicPage;
 use OCP\AppFramework\Http\JSONResponse;
-use OCP\Constants;
 use OCP\Federation\ICloudIdManager;
 use OCP\HintException;
 use OCP\Http\Client\IClientService;
@@ -108,9 +107,9 @@ public function createFederatedShare($shareWith, $token, $password = '') {
 			return $response;
 		}
 
-		if (($share->getPermissions() & Constants::PERMISSION_READ) === 0) {
+		if (!$share->canDownload()) {
 			$response = new JSONResponse(
-				['message' => 'Mounting file drop not supported'],
+				['message' => 'Mounting download restricted share is not allowed'],
 				Http::STATUS_BAD_REQUEST
 			);
 			$response->throttle();

apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php

@@ -153,7 +153,7 @@ public function renderPage(IShare $share, string $token, string $path): Template
 
 		// Create the header action menu
 		$headerActions = [];
-		if ($view !== 'public-file-drop' && !$share->getHideDownload()) {
+		if ($share->canDownload() && !$share->getHideDownload()) {
 			// The download URL is used for the "download" header action as well as in some cases for the direct link
 			$downloadUrl = $this->urlGenerator->getAbsoluteURL('/public.php/dav/files/' . $token . '/?accept=zip');
 

lib/private/Share20/Share.php

@@ -7,6 +7,7 @@
  */
 namespace OC\Share20;
 
+use OCP\Constants;
 use OCP\Files\Cache\ICacheEntry;
 use OCP\Files\File;
 use OCP\Files\FileInfo;
@@ -586,6 +587,19 @@ public function getReminderSent(): bool {
 		return $this->reminderSent;
 	}
 
+	public function canDownload(): bool {
+		if (($this->getPermissions() & Constants::PERMISSION_READ) === 0) {
+			return false;
+		}
+
+		$attributes = $this->getAttributes();
+		if ($attributes?->getAttribute('permissions', 'download') === false) {
+			return false;
+		}
+
+		return true;
+	}
+
 	public function canSeeContent(): bool {
 		$shareManager = Server::get(IManager::class);
 
@@ -595,13 +609,6 @@ public function canSeeContent(): bool {
 			return true;
 		}
 
-		// No "allow preview" header set, so we must check if
-		// the share has not explicitly disabled download permissions
-		$attributes = $this->getAttributes();
-		if ($attributes?->getAttribute('permissions', 'download') === false) {
-			return false;
-		}
-
-		return true;
+		return $this->canDownload();
 	}
 }

lib/public/Share/IShare.php

@@ -645,6 +645,15 @@ public function getReminderSent(): bool;
 	 * Check if the current user can see this share files contents.
 	 * This will check the download permissions as well as the global
 	 * admin setting to allow viewing files without downloading.
+	 *
+	 * @since 32.0.0
 	 */
 	public function canSeeContent(): bool;
+
+	/**
+	 * Check if it is allowed to download this share.
+	 *
+	 * @since 34.0.0
+	 */
+	public function canDownload(): bool;
 }