|
27 | 27 | namespace OCA\Text\Service; |
28 | 28 |
|
29 | 29 | use OC\User\NoUserException; |
| 30 | +use OCA\DAV\Connector\Sabre\PublicAuth; |
30 | 31 | use OCA\Files_Sharing\SharedStorage; |
31 | 32 | use OCA\Text\Controller\AttachmentController; |
32 | 33 | use OCA\Text\Db\Session; |
|
40 | 41 | use OCP\Files\NotPermittedException; |
41 | 42 | use OCP\Files\SimpleFS\ISimpleFile; |
42 | 43 | use OCP\IPreview; |
| 44 | +use OCP\ISession; |
43 | 45 | use OCP\IURLGenerator; |
44 | 46 | use OCP\Lock\LockedException; |
45 | 47 | use OCP\Share\Exceptions\ShareNotFound; |
@@ -310,9 +312,33 @@ public function uploadAttachment(int $documentId, string $newFileName, $newFileR |
310 | 312 | * @throws NoUserException |
311 | 313 | */ |
312 | 314 | public function uploadAttachmentPublic(?int $documentId, string $newFileName, $newFileResource, string $shareToken): array { |
313 | | - if (!$this->hasUpdatePermissions($shareToken)) { |
| 315 | + try { |
| 316 | + $share = $this->shareManager->getShareByToken($shareToken); |
| 317 | + } catch (ShareNotFound) { |
| 318 | + throw new NotFoundException('Share not found'); |
| 319 | + } |
| 320 | + |
| 321 | + if (!$this->hasUpdatePermissions($share)) { |
314 | 322 | throw new NotPermittedException('No write permissions'); |
315 | 323 | } |
| 324 | + |
| 325 | + if ($share->getPassword() !== null) { |
| 326 | + $key = PublicAuth::DAV_AUTHENTICATED; |
| 327 | + |
| 328 | + if (!$this->session->exists($key)) { |
| 329 | + throw new NotPermittedException('Share not authenticated'); |
| 330 | + } |
| 331 | + |
| 332 | + $allowedShareIds = $this->session->get($key); |
| 333 | + if (!is_array($allowedShareIds)) { |
| 334 | + throw new NotPermittedException('Share not authenticated'); |
| 335 | + } |
| 336 | + |
| 337 | + if (!in_array($share->getId(), $allowedShareIds, true)) { |
| 338 | + throw new NotPermittedException('Share not authenticated'); |
| 339 | + } |
| 340 | + } |
| 341 | + |
316 | 342 | $textFile = $this->getTextFilePublic($documentId, $shareToken); |
317 | 343 | $saveDir = $this->getAttachmentDirectoryForFile($textFile, true); |
318 | 344 | $fileName = self::getUniqueFileName($saveDir, $newFileName); |
@@ -398,25 +424,16 @@ public static function getUniqueFileName(Folder $dir, string $fileName): string |
398 | 424 |
|
399 | 425 | /** |
400 | 426 | * Check if the shared access has write permissions |
401 | | - * |
402 | | - * @param string $shareToken |
403 | | - * |
404 | | - * @return bool |
405 | 427 | */ |
406 | | - private function hasUpdatePermissions(string $shareToken): bool { |
407 | | - try { |
408 | | - $share = $this->shareManager->getShareByToken($shareToken); |
409 | | - return ( |
410 | | - in_array( |
411 | | - $share->getShareType(), |
412 | | - [IShare::TYPE_LINK, IShare::TYPE_EMAIL, IShare::TYPE_ROOM], |
413 | | - true |
414 | | - ) |
415 | | - && $share->getPermissions() & Constants::PERMISSION_UPDATE |
416 | | - && $share->getNode()->getPermissions() & Constants::PERMISSION_UPDATE); |
417 | | - } catch (ShareNotFound|NotFoundException $e) { |
418 | | - return false; |
419 | | - } |
| 428 | + private function hasUpdatePermissions(IShare $share): bool { |
| 429 | + return ( |
| 430 | + in_array( |
| 431 | + $share->getShareType(), |
| 432 | + [IShare::TYPE_LINK, IShare::TYPE_EMAIL, IShare::TYPE_ROOM], |
| 433 | + true |
| 434 | + ) |
| 435 | + && $share->getPermissions() & Constants::PERMISSION_UPDATE |
| 436 | + && $share->getNode()->getPermissions() & Constants::PERMISSION_UPDATE); |
420 | 437 | } |
421 | 438 |
|
422 | 439 | /** |
|
![backportbot[bot]](https://avatars.githubusercontent.com/in/60201?v=4&size=40){kind=avatar}
0 commit comments