ViewOnlyPlugin.php 3.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121
  1. <?php
  2. /**
  3. * @author Piotr Mrowczynski piotr@owncloud.com
  4. *
  5. * @copyright Copyright (c) 2019, ownCloud GmbH
  6. * @license AGPL-3.0
  7. *
  8. * This code is free software: you can redistribute it and/or modify
  9. * it under the terms of the GNU Affero General Public License, version 3,
  10. * as published by the Free Software Foundation.
  11. *
  12. * This program is distributed in the hope that it will be useful,
  13. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  14. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  15. * GNU Affero General Public License for more details.
  16. *
  17. * You should have received a copy of the GNU Affero General Public License, version 3,
  18. * along with this program. If not, see <http://www.gnu.org/licenses/>
  19. *
  20. */
  21. namespace OCA\DAV\DAV;
  22. use OCA\DAV\Connector\Sabre\Exception\Forbidden;
  23. use OCA\DAV\Connector\Sabre\File as DavFile;
  24. use OCA\Files_Versions\Sabre\VersionFile;
  25. use OCP\Files\Folder;
  26. use OCP\Files\NotFoundException;
  27. use Sabre\DAV\Exception\NotFound;
  28. use Sabre\DAV\Server;
  29. use Sabre\DAV\ServerPlugin;
  30. use Sabre\HTTP\RequestInterface;
  31. /**
  32. * Sabre plugin for restricting file share receiver download:
  33. */
  34. class ViewOnlyPlugin extends ServerPlugin {
  35. private ?Server $server = null;
  36. private ?Folder $userFolder;
  37. public function __construct(
  38. ?Folder $userFolder,
  39. ) {
  40. $this->userFolder = $userFolder;
  41. }
  42. /**
  43. * This initializes the plugin.
  44. *
  45. * This function is called by Sabre\DAV\Server, after
  46. * addPlugin is called.
  47. *
  48. * This method should set up the required event subscriptions.
  49. */
  50. public function initialize(Server $server): void {
  51. $this->server = $server;
  52. //priority 90 to make sure the plugin is called before
  53. //Sabre\DAV\CorePlugin::httpGet
  54. $this->server->on('method:GET', [$this, 'checkViewOnly'], 90);
  55. $this->server->on('method:COPY', [$this, 'checkViewOnly'], 90);
  56. $this->server->on('method:MOVE', [$this, 'checkViewOnly'], 90);
  57. }
  58. /**
  59. * Disallow download via DAV Api in case file being received share
  60. * and having special permission
  61. *
  62. * @throws Forbidden
  63. * @throws NotFoundException
  64. */
  65. public function checkViewOnly(RequestInterface $request): bool {
  66. $path = $request->getPath();
  67. try {
  68. assert($this->server !== null);
  69. $davNode = $this->server->tree->getNodeForPath($path);
  70. if ($davNode instanceof DavFile) {
  71. // Restrict view-only to nodes which are shared
  72. $node = $davNode->getNode();
  73. } elseif ($davNode instanceof VersionFile) {
  74. $node = $davNode->getVersion()->getSourceFile();
  75. $currentUserId = $this->userFolder?->getOwner()?->getUID();
  76. // The version source file is relative to the owner storage.
  77. // But we need the node from the current user perspective.
  78. if ($node->getOwner()->getUID() !== $currentUserId) {
  79. $nodes = $this->userFolder->getById($node->getId());
  80. $node = array_pop($nodes);
  81. if (!$node) {
  82. throw new NotFoundException("Version file not accessible by current user");
  83. }
  84. }
  85. } else {
  86. return true;
  87. }
  88. $storage = $node->getStorage();
  89. if (!$storage->instanceOfStorage(\OCA\Files_Sharing\SharedStorage::class)) {
  90. return true;
  91. }
  92. // Extract extra permissions
  93. /** @var \OCA\Files_Sharing\SharedStorage $storage */
  94. $share = $storage->getShare();
  95. $attributes = $share->getAttributes();
  96. if ($attributes === null) {
  97. return true;
  98. }
  99. // Check if read-only and on whether permission can download is both set and disabled.
  100. $canDownload = $attributes->getAttribute('permissions', 'download');
  101. if ($canDownload !== null && !$canDownload) {
  102. throw new Forbidden('Access to this shared resource has been denied because its download permission is disabled.');
  103. }
  104. } catch (NotFound $e) {
  105. // File not found
  106. }
  107. return true;
  108. }
  109. }