ViewOnlyPlugin.php 3.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104
  1. <?php
  2. /**
  3. * @author Piotr Mrowczynski piotr@owncloud.com
  4. *
  5. * @copyright Copyright (c) 2019, ownCloud GmbH
  6. * @license AGPL-3.0
  7. *
  8. * This code is free software: you can redistribute it and/or modify
  9. * it under the terms of the GNU Affero General Public License, version 3,
  10. * as published by the Free Software Foundation.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU Affero General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU Affero General Public License, version 3,
  18. * along with this program. If not, see <http://www.gnu.org/licenses/>
  19. *
  20. */
  21. namespace OCA\DAV\DAV;
  22. use OCA\DAV\Connector\Sabre\Exception\Forbidden;
  23. use OCA\DAV\Connector\Sabre\File as DavFile;
  24. use OCP\Files\NotFoundException;
  25. use Psr\Log\LoggerInterface;
  26. use Sabre\DAV\Server;
  27. use Sabre\DAV\ServerPlugin;
  28. use Sabre\HTTP\RequestInterface;
  29. use Sabre\DAV\Exception\NotFound;
  30. /**
  31. * Sabre plugin for restricting file share receiver download:
  32. */
  33. class ViewOnlyPlugin extends ServerPlugin {
  34. private ?Server $server = null;
  35. private LoggerInterface $logger;
  36. public function __construct(LoggerInterface $logger) {
  37. $this->logger = $logger;
  38. }
  39. /**
  40. * This initializes the plugin.
  41. *
  42. * This function is called by Sabre\DAV\Server, after
  43. * addPlugin is called.
  44. *
  45. * This method should set up the required event subscriptions.
  46. */
  47. public function initialize(Server $server): void {
  48. $this->server = $server;
  49. //priority 90 to make sure the plugin is called before
  50. //Sabre\DAV\CorePlugin::httpGet
  51. $this->server->on('method:GET', [$this, 'checkViewOnly'], 90);
  52. $this->server->on('method:COPY', [$this, 'checkViewOnly'], 90);
  53. }
  54. /**
  55. * Disallow download via DAV Api in case file being received share
  56. * and having special permission
  57. *
  58. * @throws Forbidden
  59. * @throws NotFoundException
  60. */
  61. public function checkViewOnly(RequestInterface $request): bool {
  62. $path = $request->getPath();
  63. try {
  64. assert($this->server !== null);
  65. $davNode = $this->server->tree->getNodeForPath($path);
  66. if (!($davNode instanceof DavFile)) {
  67. return true;
  68. }
  69. // Restrict view-only to nodes which are shared
  70. $node = $davNode->getNode();
  71. $storage = $node->getStorage();
  72. if (!$storage->instanceOfStorage(\OCA\Files_Sharing\SharedStorage::class)) {
  73. return true;
  74. }
  75. // Extract extra permissions
  76. /** @var \OCA\Files_Sharing\SharedStorage $storage */
  77. $share = $storage->getShare();
  78. $attributes = $share->getAttributes();
  79. if ($attributes === null) {
  80. return true;
  81. }
  82. // Check if read-only and on whether permission can download is both set and disabled.
  83. $canDownload = $attributes->getAttribute('permissions', 'download');
  84. if ($canDownload !== null && !$canDownload) {
  85. throw new Forbidden('Access to this resource has been denied because it is in view-only mode.');
  86. }
  87. } catch (NotFound $e) {
  88. // File not found
  89. }
  90. return true;
  91. }
  92. }