fix: Apply checks on shares in the middleware

Signed-off-by: Julius Härtl <[email protected]>

lib/Middleware/SessionMiddleware.php

@@ -21,10 +21,12 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
+use OCP\Constants;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotPermittedException;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager as ShareManager;
@@ -36,6 +38,7 @@ public function __construct(
  private IRequest $request,
  private SessionService $sessionService,
  private DocumentService $documentService,
+ private ISession $session,
  private IUserSession $userSession,
  private IRootFolder $rootFolder,
  private ShareManager $shareManager,
@@ -131,8 +134,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
  } catch (ShareNotFound) {
  throw new InvalidSessionException();
  }
- // Check if shareToken has access to document
- if ($this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId) === null) {
+
+ $node = $this->rootFolder->getUserFolder($share->getShareOwner())->getFirstNodeById($documentId);
+ if ($node === null) {
+ throw new InvalidSessionException();
+ }
+
+ if ($share->getPassword() !== null) {
+ $shareId = $this->session->get('public_link_authenticated');
+ if ($share->getId() !== $shareId) {
+ throw new InvalidSessionException();
+ }
+ }
+
+ if ($share->getPermissions() & Constants::PERMISSION_READ !== Constants::PERMISSION_READ) {
+ throw new InvalidSessionException();
+ }
+
+ $attributes = $share->getAttributes();
+ if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
  throw new InvalidSessionException();
  }
  } else {