diff --git a/lib/Controller/PublicAlbumController.php b/lib/Controller/PublicAlbumController.php index df05933a..99a5c972 100644 --- a/lib/Controller/PublicAlbumController.php +++ b/lib/Controller/PublicAlbumController.php @@ -5,12 +5,15 @@ namespace OCA\Memories\Controller; use OCA\Memories\Db\TimelineQuery; use OCP\App\IAppManager; use OCP\AppFramework\Controller; +use OCP\AppFramework\Http\RedirectResponse; use OCP\AppFramework\Http\Template\PublicTemplateResponse; use OCP\AppFramework\Http\TemplateResponse; use OCP\AppFramework\Services\IInitialState; use OCP\EventDispatcher\IEventDispatcher; use OCP\IConfig; use OCP\IDBConnection; +use OCP\IURLGenerator; +use OCP\IUserSession; use OCP\Util; class PublicAlbumController extends Controller @@ -21,6 +24,8 @@ class PublicAlbumController extends Controller protected IAppManager $appManager; protected IConfig $config; protected IDBConnection $connection; + protected IUserSession $userSession; + protected IURLGenerator $urlGenerator; public function __construct( string $appName, @@ -28,7 +33,9 @@ class PublicAlbumController extends Controller IInitialState $initialState, IAppManager $appManager, IConfig $config, - IDBConnection $connection + IDBConnection $connection, + IUserSession $userSession, + IURLGenerator $urlGenerator ) { $this->appName = $appName; $this->eventDispatcher = $eventDispatcher; @@ -36,6 +43,8 @@ class PublicAlbumController extends Controller $this->appManager = $appManager; $this->config = $config; $this->connection = $connection; + $this->userSession = $userSession; + $this->urlGenerator = $urlGenerator; } /** @@ -43,10 +52,8 @@ class PublicAlbumController extends Controller * * @NoCSRFRequired */ - public function showShare(string $token): TemplateResponse + public function showShare(string $token) { - \OC_User::setIncognitoMode(true); - // Validate token exists $timelineQuery = new TimelineQuery($this->connection); $album = $timelineQuery->getAlbumByLink($token); @@ -54,6 +61,23 @@ class PublicAlbumController extends Controller return new TemplateResponse('core', '404', [], 'guest'); } + // Check if the current user has access to the album + // Just redirect to the user's page if the user is the owner or a collaborator + if ($user = $this->userSession->getUser()) { + $uid = $user->getUID(); + $albumId = (int) $album['album_id']; + + if ($uid === $album['user'] || $timelineQuery->userIsAlbumCollaborator($uid, $albumId)) { + $idStr = $album['user'].'/'.$album['name']; + $url = $this->urlGenerator->linkToRoute('memories.Page.albums', ['id' => $idStr]); + + return new RedirectResponse($url); + } + } + + // Browse anonymously if the album is accessed as a link + \OC_User::setIncognitoMode(true); + // Scripts Util::addScript($this->appName, 'memories-main'); PageController::provideCommonInitialState($this->initialState); diff --git a/lib/Db/TimelineQueryAlbums.php b/lib/Db/TimelineQueryAlbums.php index b9e31a46..b092dae4 100644 --- a/lib/Db/TimelineQueryAlbums.php +++ b/lib/Db/TimelineQueryAlbums.php @@ -207,18 +207,34 @@ trait TimelineQueryAlbums } // Check in collaborators instead + $albumNumId = (int) $album['album_id']; + if ($this->userIsAlbumCollaborator($uid, $albumNumId)) { + return $album; + } + + return null; + } + + /** + * Check if user is a collaborator by numeric ID. + * Also checks if a group is a collaborator. + * Does not check if the user is the owner. + * + * @param string $uid User ID + * @param int $albumId Album ID (numeric) + */ + public function userIsAlbumCollaborator(string $uid, int $albumId): bool + { $query = $this->connection->getQueryBuilder(); $ids = $this->getSelfCollaborators($uid); $query->select('album_id')->from($this->collaboratorsTable())->where( $query->expr()->andX( - $query->expr()->eq('album_id', $query->createNamedParameter($album['album_id'])), + $query->expr()->eq('album_id', $query->createNamedParameter($albumId, IQueryBuilder::PARAM_INT)), $query->expr()->in('collaborator_id', $query->createNamedParameter($ids, IQueryBuilder::PARAM_STR_ARRAY)), ) ); - if (false !== $query->executeQuery()->fetchOne()) { - return $album; - } + return false !== $query->executeQuery()->fetchOne(); } /**