Check that the owner of a link share still has share permissions on a…

…ccess
owncloud · Jan 15, 2016 · 92b02b8 · 92b02b8
1 parent 6a7be4d
commit 92b02b8
Show file tree

Hide file tree

Showing 3 changed files with 71 additions and 2 deletions.
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php
@@ -46,7 +46,7 @@
 
 $requestUri = \OC::$server->getRequest()->getRequestUri();
 
-$server = $serverFactory->createServer($baseuri, $requestUri, $authBackend, function () use ($authBackend) {
+$server = $serverFactory->createServer($baseuri, $requestUri, $authBackend, function (\Sabre\DAV\Server $server) use ($authBackend) {
 	$isAjax = (isset($_SERVER['HTTP_X_REQUESTED_WITH']) && $_SERVER['HTTP_X_REQUESTED_WITH'] === 'XMLHttpRequest');
 	if (OCA\Files_Sharing\Helper::isOutgoingServer2serverShareEnabled() === false && !$isAjax) {
 		// this is what is thrown when trying to access a non-existing share
@@ -68,6 +68,9 @@
 	OC_Util::setupFS($owner);
 	$ownerView = \OC\Files\Filesystem::getView();
 	$path = $ownerView->getPath($fileId);
+	$fileInfo = $ownerView->getFileInfo($path);
+
+	$server->addPlugin(new \OCA\DAV\Files\Sharing\PublicLinkCheckPlugin($share, $fileInfo));
 
 	return new \OC\Files\View($ownerView->getAbsolutePath($path));
 });

diff --git a/apps/dav/lib/connector/sabre/serverfactory.php b/apps/dav/lib/connector/sabre/serverfactory.php
@@ -115,7 +115,7 @@ public function createServer($baseUri,
 			\OC::$server->getUserFolder();
 
 			/** @var \OC\Files\View $view */
-			$view = $viewCallBack();
+			$view = $viewCallBack($server);
 			$rootInfo = $view->getFileInfo('');
 
 			// Create ownCloud Dir

diff --git a/apps/dav/lib/files/sharing/publicsharecheckplugin.php b/apps/dav/lib/files/sharing/publicsharecheckplugin.php
@@ -0,0 +1,66 @@
+<?php
+/**
+ * @author Robin Appelman <icewind@owncloud.com>
+ *
+ * @copyright Copyright (c) 2015, ownCloud, Inc.
+ * @license AGPL-3.0
+ *
+ * This code is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License, version 3,
+ * as published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License, version 3,
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>
+ *
+ */
+
+namespace OCA\DAV\Files\Sharing;
+
+use OCP\Files\FileInfo;
+use Sabre\DAV\Exception\NotFound;
+use Sabre\DAV\ServerPlugin;
+use Sabre\HTTP\RequestInterface;
+use Sabre\HTTP\ResponseInterface;
+
+/**
+ * Verify that the public link share is valid
+ */
+class PublicLinkCheckPlugin extends ServerPlugin {
+	/**
+	 * @var FileInfo
+	 */
+	private $fileInfo;
+
+	/**
+	 * PublicLinkCheckPlugin constructor.
+	 *
+	 * @param FileInfo $fileInfo fileinfo for the shared file or folder from the owner
+	 */
+	public function __construct(FileInfo $fileInfo) {
+		$this->fileInfo = $fileInfo;
+	}
+
+
+	/**
+	 * This initializes the plugin.
+	 *
+	 * @param \Sabre\DAV\Server $server Sabre server
+	 *
+	 * @return void
+	 */
+	public function initialize(\Sabre\DAV\Server $server) {
+		$server->on('beforeMethod', [$this, 'beforeMethod']);
+	}
+
+	public function beforeMethod(RequestInterface $request, ResponseInterface $response){
+		// verify that the owner didn't have his share permissions revoked
+		if (!$this->fileInfo->isShareable()) {
+			throw new NotFound();
+		}
+	}
+}