ViewOnlyPlugin.php 3.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120
  1. <?php
  2. /**
  3. * @author Piotr Mrowczynski piotr@owncloud.com
  4. *
  5. * @copyright Copyright (c) 2019, ownCloud GmbH
  6. * @license AGPL-3.0
  7. *
  8. * This code is free software: you can redistribute it and/or modify
  9. * it under the terms of the GNU Affero General Public License, version 3,
  10. * as published by the Free Software Foundation.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU Affero General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU Affero General Public License, version 3,
  18. * along with this program. If not, see <http://www.gnu.org/licenses/>
  19. *
  20. */
  21. namespace OCA\DAV\DAV;
  22. use OCA\DAV\Connector\Sabre\Exception\Forbidden;
  23. use OCA\DAV\Connector\Sabre\File as DavFile;
  24. use OCA\Files_Versions\Sabre\VersionFile;
  25. use OCP\Files\Folder;
  26. use OCP\Files\NotFoundException;
  27. use Sabre\DAV\Exception\NotFound;
  28. use Sabre\DAV\Server;
  29. use Sabre\DAV\ServerPlugin;
  30. use Sabre\HTTP\RequestInterface;
  31. /**
  32. * Sabre plugin for restricting file share receiver download:
  33. */
  34. class ViewOnlyPlugin extends ServerPlugin {
  35. private ?Server $server = null;
  36. private ?Folder $userFolder;
  37. public function __construct(
  38. ?Folder $userFolder,
  39. ) {
  40. $this->userFolder = $userFolder;
  41. }
  42. /**
  43. * This initializes the plugin.
  44. *
  45. * This function is called by Sabre\DAV\Server, after
  46. * addPlugin is called.
  47. *
  48. * This method should set up the required event subscriptions.
  49. */
  50. public function initialize(Server $server): void {
  51. $this->server = $server;
  52. //priority 90 to make sure the plugin is called before
  53. //Sabre\DAV\CorePlugin::httpGet
  54. $this->server->on('method:GET', [$this, 'checkViewOnly'], 90);
  55. $this->server->on('method:COPY', [$this, 'checkViewOnly'], 90);
  56. }
  57. /**
  58. * Disallow download via DAV Api in case file being received share
  59. * and having special permission
  60. *
  61. * @throws Forbidden
  62. * @throws NotFoundException
  63. */
  64. public function checkViewOnly(RequestInterface $request): bool {
  65. $path = $request->getPath();
  66. try {
  67. assert($this->server !== null);
  68. $davNode = $this->server->tree->getNodeForPath($path);
  69. if ($davNode instanceof DavFile) {
  70. // Restrict view-only to nodes which are shared
  71. $node = $davNode->getNode();
  72. } elseif ($davNode instanceof VersionFile) {
  73. $node = $davNode->getVersion()->getSourceFile();
  74. $currentUserId = $this->userFolder?->getOwner()?->getUID();
  75. // The version source file is relative to the owner storage.
  76. // But we need the node from the current user perspective.
  77. if ($node->getOwner()->getUID() !== $currentUserId) {
  78. $nodes = $this->userFolder->getById($node->getId());
  79. $node = array_pop($nodes);
  80. if (!$node) {
  81. throw new NotFoundException("Version file not accessible by current user");
  82. }
  83. }
  84. } else {
  85. return true;
  86. }
  87. $storage = $node->getStorage();
  88. if (!$storage->instanceOfStorage(\OCA\Files_Sharing\SharedStorage::class)) {
  89. return true;
  90. }
  91. // Extract extra permissions
  92. /** @var \OCA\Files_Sharing\SharedStorage $storage */
  93. $share = $storage->getShare();
  94. $attributes = $share->getAttributes();
  95. if ($attributes === null) {
  96. return true;
  97. }
  98. // Check if read-only and on whether permission can download is both set and disabled.
  99. $canDownload = $attributes->getAttribute('permissions', 'download');
  100. if ($canDownload !== null && !$canDownload) {
  101. throw new Forbidden('Access to this shared resource has been denied because its download permission is disabled.');
  102. }
  103. } catch (NotFound $e) {
  104. // File not found
  105. }
  106. return true;
  107. }
  108. }