From 5f5918372608d9b7192cea4c88903d7192bc0e7e Mon Sep 17 00:00:00 2001
From: Varun Patil <varunpatil@ucla.edu>
Date: Tue, 15 Nov 2022 05:40:46 -0800
Subject: [PATCH] Add more permissions checks

---
 lib/Controller/ApiBase.php           | 9 +++++++++
 lib/Controller/ArchiveController.php | 2 +-
 lib/Controller/FacesController.php   | 5 +++++
 lib/Controller/ImageController.php   | 2 +-
 lib/Controller/VideoController.php   | 4 ++++
 5 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/lib/Controller/ApiBase.php b/lib/Controller/ApiBase.php
index 3d3ef667..146e7879 100644
--- a/lib/Controller/ApiBase.php
+++ b/lib/Controller/ApiBase.php
@@ -131,6 +131,10 @@ class ApiBase extends Controller
             throw new \Exception('Folder not found');
         }
 
+        if (!($folder->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+            throw new \Exception('Folder not readable');
+        }
+
         return $folder;
     }
 
@@ -160,6 +164,11 @@ class ApiBase extends Controller
             return null;
         }
 
+        // Check read permission
+        if (!($file[0]->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+            return null;
+        }
+
         return $file[0];
     }
 
diff --git a/lib/Controller/ArchiveController.php b/lib/Controller/ArchiveController.php
index 4ca93d0c..f6c518b4 100644
--- a/lib/Controller/ArchiveController.php
+++ b/lib/Controller/ArchiveController.php
@@ -54,7 +54,7 @@ class ArchiveController extends ApiBase
         $file = $file[0];
 
         // Check if user has permissions
-        if (!$file->isUpdateable()) {
+        if (!$file->isUpdateable() || !($file->getPermissions() & \OCP\Constants::PERMISSION_UPDATE)) {
             return new JSONResponse(['message' => 'Cannot update this file'], Http::STATUS_FORBIDDEN);
         }
 
diff --git a/lib/Controller/FacesController.php b/lib/Controller/FacesController.php
index a6634ed7..f4dfd097 100644
--- a/lib/Controller/FacesController.php
+++ b/lib/Controller/FacesController.php
@@ -104,6 +104,11 @@ class FacesController extends ApiBase
                 continue;
             }
 
+            // Check read permission
+            if (!($files[0]->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+                continue;
+            }
+
             // Get (hopefully cached) preview image
             try {
                 $preview = $this->previewManager->getPreview($files[0], 2048, 2048, false);
diff --git a/lib/Controller/ImageController.php b/lib/Controller/ImageController.php
index 43531472..c6cb40bf 100644
--- a/lib/Controller/ImageController.php
+++ b/lib/Controller/ImageController.php
@@ -71,7 +71,7 @@ class ImageController extends ApiBase
         }
 
         // Check if user has permissions
-        if (!$file->isUpdateable()) {
+        if (!$file->isUpdateable() || !($file->getPermissions() & \OCP\Constants::PERMISSION_UPDATE)) {
             return new JSONResponse([], Http::STATUS_FORBIDDEN);
         }
 
diff --git a/lib/Controller/VideoController.php b/lib/Controller/VideoController.php
index 8ad56a63..9f43bd39 100644
--- a/lib/Controller/VideoController.php
+++ b/lib/Controller/VideoController.php
@@ -62,6 +62,10 @@ class VideoController extends ApiBase
         }
         $file = $files[0];
 
+        if (!($file->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+            return new JSONResponse(['message' => 'File not readable'], Http::STATUS_FORBIDDEN);
+        }
+
         // Local files only for now
         if (!$file->getStorage()->isLocal()) {
             return new JSONResponse(['message' => 'External storage not supported'], Http::STATUS_FORBIDDEN);