RPJosh
/
memories
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add more permissions checks

pull/221/head
Varun Patil 2022-11-15 05:40:46 -08:00
parent 19386f2422
commit 5f59183726
5 changed files with 20 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
lib/Controller/ApiBase.php
View File

@ -131,6 +131,10 @@ class ApiBase extends Controller
throw new \Exception('Folder not found');
}
if (!($folder->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
throw new \Exception('Folder not readable');
}
return $folder;
}
@ -160,6 +164,11 @@ class ApiBase extends Controller
return null;
}
// Check read permission
if (!($file[0]->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
return null;
}
return $file[0];
}

2
lib/Controller/ArchiveController.php
View File

@ -54,7 +54,7 @@ class ArchiveController extends ApiBase
$file = $file[0];
// Check if user has permissions
if (!$file->isUpdateable()) {
if (!$file->isUpdateable() || !($file->getPermissions() & \OCP\Constants::PERMISSION_UPDATE)) {
return new JSONResponse(['message' => 'Cannot update this file'], Http::STATUS_FORBIDDEN);
}

5
lib/Controller/FacesController.php
View File

@ -104,6 +104,11 @@ class FacesController extends ApiBase
continue;
}
// Check read permission
if (!($files[0]->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
continue;
}
// Get (hopefully cached) preview image
try {
$preview = $this->previewManager->getPreview($files[0], 2048, 2048, false);

2
lib/Controller/ImageController.php
View File

@ -71,7 +71,7 @@ class ImageController extends ApiBase
}
// Check if user has permissions
if (!$file->isUpdateable()) {
if (!$file->isUpdateable() || !($file->getPermissions() & \OCP\Constants::PERMISSION_UPDATE)) {
return new JSONResponse([], Http::STATUS_FORBIDDEN);
}

4
lib/Controller/VideoController.php
View File

@ -62,6 +62,10 @@ class VideoController extends ApiBase
}
$file = $files[0];
if (!($file->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
return new JSONResponse(['message' => 'File not readable'], Http::STATUS_FORBIDDEN);
}
// Local files only for now
if (!$file->getStorage()->isLocal()) {
return new JSONResponse(['message' => 'External storage not supported'], Http::STATUS_FORBIDDEN);