Fix access to spaces shared via public link (#3451)

* Fix access to spaces shared via public link * Add changelog
cs3org · Nov 11, 2022 · 413c0a3 · 413c0a3
1 parent fffaf0f
commit 413c0a3
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 4 deletions.
diff --git a/changelog/unreleased/fix-space-public-links.md b/changelog/unreleased/fix-space-public-links.md
@@ -0,0 +1,6 @@
+Bugfix: Fix access to spaces shared via public link
+
+We fixed a problem where downloading archives from spaces which were shared via
+public links was not possible.
+
+https://github.com/cs3org/reva/pull/3452
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
@@ -189,11 +189,19 @@ func checkRelativeReference(ctx context.Context, requested *provider.Reference,
 
 	sharedResource := sRes.Info
 
-	parentID := sharedResource.ParentId
-	parentID.StorageId = sharedResource.Id.StorageId
+	// Is this a shared space
+	if sharedResource.ParentId == nil {
+		// Is the requested resource part of the shared space?
+		if requested.ResourceId.StorageId != sharedResource.Id.StorageId || requested.ResourceId.SpaceId != sharedResource.Id.SpaceId {
+			return errtypes.PermissionDenied("access forbidden via public link")
+		}
+	} else {
+		parentID := sharedResource.ParentId
+		parentID.StorageId = sharedResource.Id.StorageId
 
-	if !utils.ResourceIDEqual(parentID, requested.ResourceId) && utils.MakeRelativePath(sharedResource.Path) != requested.Path {
-		return errtypes.PermissionDenied("access not allowed for via public share")
+		if !utils.ResourceIDEqual(parentID, requested.ResourceId) && utils.MakeRelativePath(sharedResource.Path) != requested.Path {
+			return errtypes.PermissionDenied("access forbidden via public link")
+		}
 	}
 
 	key := storagespace.FormatResourceID(*sharedResourceID) + scopeDelimiter + getRefKey(requested)