RPJosh
/
memories
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

share: check password in API calls

cap
Varun Patil 2022-12-02 20:29:34 -08:00
parent 719022848b
commit 63059ecba2
1 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
lib/Controller/ApiBase.php
View File

@ -40,12 +40,14 @@ use OCP\IConfig;
use OCP\IDBConnection; use OCP\IDBConnection;
use OCP\IPreview; use OCP\IPreview;
use OCP\IRequest; use OCP\IRequest;
use OCP\ISession;
use OCP\IUserSession; use OCP\IUserSession;
use OCP\Share\IManager as IShareManager; use OCP\Share\IManager as IShareManager;
class ApiBase extends Controller class ApiBase extends Controller
{ {
protected IConfig $config; protected IConfig $config;
protected ISession $session;
protected IUserSession $userSession; protected IUserSession $userSession;
protected IRootFolder $rootFolder; protected IRootFolder $rootFolder;
protected IAppManager $appManager; protected IAppManager $appManager;
@ -58,6 +60,7 @@ class ApiBase extends Controller
public function __construct( public function __construct(
IRequest $request, IRequest $request,
IConfig $config, IConfig $config,
ISession $session,
IUserSession $userSession, IUserSession $userSession,
IDBConnection $connection, IDBConnection $connection,
IRootFolder $rootFolder, IRootFolder $rootFolder,
@ -69,6 +72,7 @@ class ApiBase extends Controller
parent::__construct(Application::APPNAME, $request); parent::__construct(Application::APPNAME, $request);
$this->config = $config; $this->config = $config;
$this->session = $session;
$this->userSession = $userSession; $this->userSession = $userSession;
$this->connection = $connection; $this->connection = $connection;
$this->rootFolder = $rootFolder; $this->rootFolder = $rootFolder;
@ -230,21 +234,45 @@ class ApiBase extends Controller
return $this->request->getParam('folder_share'); return $this->request->getParam('folder_share');
} }
protected function getShareNode() protected function getShareObject()
{ {
// Get token from request
$token = $this->getShareToken(); $token = $this->getShareToken();
if (null === $token) { if (null === $token) {
return null; return null;
} }
$share = $this->shareManager->getShareByToken($token)->getNode(); // throws exception if not found // Get share by token
if (!$share instanceof Folder || !$share->isReadable() || !$share->isShareable()) { $share = $this->shareManager->getShareByToken($token);
throw new \Exception('Share not found or invalid');
// Check if share is password protected
if (($password = $share->getPassword()) !== null) {
// https://github.com/nextcloud/server/blob/0447b53bda9fe95ea0cbed765aa332584605d652/lib/public/AppFramework/PublicShareController.php#L119
if ($this->session->get('public_link_authenticated_token') !== $token ||
$this->session->get('public_link_authenticated_password_hash') !== $password) {
throw new \Exception('Share is password protected and user is not authenticated');
}
} }
return $share; return $share;
} }
protected function getShareNode()
{
$share = $this->getShareObject();
if (null === $share) {
return null;
}
// Get node from share
$node = $share->getNode(); // throws exception if not found
if (!$node instanceof Folder || !$node->isReadable() || !$node->isShareable()) {
throw new \Exception('Share not found or invalid');
}
return $node;
}
/** /**
* Check if albums are enabled for this user. * Check if albums are enabled for this user.
*/ */