fix(SessionMiddleware): Check if user/share have access to document

Signed-off-by: Jonas <jonas@freesources.org>
nextcloud · Nov 29, 2023 · 97a80d6 · 97a80d6
1 parent 0ef64ad
commit 97a80d6
Showing 1 changed file with 30 additions and 3 deletions.
diff --git a/lib/Middleware/SessionMiddleware.php b/lib/Middleware/SessionMiddleware.php
@@ -2,6 +2,7 @@
 
 namespace OCA\Text\Middleware;
 
+use OC\User\NoUserException;
 use OCA\Text\Controller\ISessionAwareController;
 use OCA\Text\Exception\InvalidSessionException;
 use OCA\Text\Middleware\Attribute\RequireDocumentSession;
@@ -11,17 +12,24 @@
 use OCP\AppFramework\Controller;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\Response;
+use OCP\AppFramework\Middleware;
+use OCP\Files\IRootFolder;
+use OCP\Files\NotPermittedException;
 use OCP\IRequest;
 use OCP\IUserSession;
+use OCP\Share\Exceptions\ShareNotFound;
+use OCP\Share\IManager as ShareManager;
 use ReflectionException;
 
-class SessionMiddleware extends \OCP\AppFramework\Middleware {
+class SessionMiddleware extends Middleware {
 
 	public function __construct(
 		private IRequest $request,
 		private SessionService $sessionService,
 		private DocumentService $documentService,
 		private IUserSession $userSession,
+		private IRootFolder $rootFolder,
+		private ShareManager $shareManager,
 	) {
 	}
 
@@ -49,6 +57,9 @@ public function beforeController(Controller $controller, string $methodName): vo
 		}
 	}
 
+	/**
+	 * @throws InvalidSessionException
+	 */
 	private function assertDocumentSession(ISessionAwareController $controller): void {
 		$documentId = (int)$this->request->getParam('documentId');
 		$sessionId = (int)$this->request->getParam('sessionId');
@@ -72,13 +83,29 @@ private function assertDocumentSession(ISessionAwareController $controller): voi
 		}
 	}
 
+	/**
+	 * @throws NotPermittedException
+	 * @throws NoUserException
+	 * @throws InvalidSessionException
+	 */
 	private function assertUserOrShareToken(ISessionAwareController $controller): void {
 		$documentId = (int)$this->request->getParam('documentId');
 		if (null !== $userId = $this->userSession->getUser()?->getUID()) {
+			// Check if user has access to document
+			if (count($this->rootFolder->getUserFolder($userId)->getById($documentId)) === 0) {
+				throw new InvalidSessionException();
+			}
 			$controller->setUserId($userId);
-			// TODO: check if user has access to document
 		} elseif ('' !== $shareToken = (string)$this->request->getParam('shareToken')) {
-			// TODO: check if shareToken has access to document
+			try {
+				$share = $this->shareManager->getShareByToken($shareToken);
+			} catch (ShareNotFound) {
+				throw new InvalidSessionException();
+			}
+			// Check if shareToken has access to document
+			if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {
+				throw new InvalidSessionException();
+			}
 		} else {
 			throw new InvalidSessionException();
 		}