Skip to content

Commit

Permalink
fix public link resharing (cs3org#3023)
Browse files Browse the repository at this point in the history
Signed-off-by: jkoberg <[email protected]>
  • Loading branch information
kobergj committed Jul 11, 2022
1 parent 0e7fc87 commit b4fd8cd
Show file tree
Hide file tree
Showing 3 changed files with 37 additions and 11 deletions.
8 changes: 8 additions & 0 deletions changelog/unreleased/fix-publiclink-resharing.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
Bugfix: Forbid resharing with higher permissions

When creating a public link from a viewer share a user was able to set editor permissions on that link.
This was because of a missing check that is added now

https://github.com/owncloud/ocis/issues/4061
https://github.com/owncloud/ocis/issues/3881
https://github.com/owncloud/ocis/pull/4077
Original file line number Diff line number Diff line change
Expand Up @@ -119,6 +119,14 @@ func (h *Handler) createPublicLinkShare(w http.ResponseWriter, r *http.Request,
newPermissions = conversions.RoleFromOCSPermissions(permissions).CS3ResourcePermissions()
}

if !sufficientPermissions(statInfo.PermissionSet, newPermissions) {
return nil, &ocsError{
Code: http.StatusNotFound,
Message: "Cannot set the requested share permissions",
Error: errors.New("cannot set the requested share permissions"),
}
}

req := link.CreatePublicShareRequest{
ResourceInfo: statInfo,
Grant: &link.Grant{
Expand Down Expand Up @@ -342,6 +350,19 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
}
}

statReq := provider.StatRequest{Ref: &provider.Reference{ResourceId: before.Share.ResourceId}}
statRes, err := gwC.Stat(r.Context(), &statReq)
if err != nil {
log.Debug().Err(err).Str("shares", "update public share").Msg("error during stat")
response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "missing resource information", fmt.Errorf("error getting resource information"))
return
}

if !sufficientPermissions(statRes.Info.PermissionSet, newPermissions) {
response.WriteOCSError(w, r, response.MetaBadRequest.StatusCode, "no share permission", nil)
return
}

// ExpireDate
expireTimeString, ok := r.Form["expireDate"]
// check if value is set and must be updated or cleared
Expand Down Expand Up @@ -411,15 +432,6 @@ func (h *Handler) updatePublicShare(w http.ResponseWriter, r *http.Request, shar
return
}

statReq := provider.StatRequest{Ref: &provider.Reference{ResourceId: before.Share.ResourceId}}

statRes, err := gwC.Stat(r.Context(), &statReq)
if err != nil {
log.Debug().Err(err).Str("shares", "update public share").Msg("error during stat")
response.WriteOCSError(w, r, response.MetaServerError.StatusCode, "missing resource information", fmt.Errorf("error getting resource information"))
return
}

s := conversions.PublicShare2ShareData(publicShare, r, h.publicURL)
err = h.addFileInfo(r.Context(), s, statRes.Info)
if err != nil {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -455,8 +455,7 @@ func (h *Handler) extractPermissions(reqRole string, reqPermissions string, ri *
role = conversions.RoleFromOCSPermissions(permissions)
}

existingPermissions := conversions.RoleFromResourcePermissions(ri.PermissionSet).OCSPermissions()
if !existingPermissions.Contain(permissions) {
if !sufficientPermissions(ri.PermissionSet, role.CS3ResourcePermissions()) {
return nil, nil, &ocsError{
Code: http.StatusNotFound,
Message: "Cannot set the requested share permissions",
Expand Down Expand Up @@ -1399,3 +1398,10 @@ func (h *Handler) getPoolClient() (gateway.GatewayAPIClient, error) {
func (h *Handler) getHomeNamespace(u *userpb.User) string {
return templates.WithUser(u, h.homeNamespace)
}

// sufficientPermissions returns true if the `existing` permissions contain the `requested` permissions
func sufficientPermissions(existing, requested *provider.ResourcePermissions) bool {
ep := conversions.RoleFromResourcePermissions(existing).OCSPermissions()
rp := conversions.RoleFromResourcePermissions(requested).OCSPermissions()
return ep.Contain(rp)
}

0 comments on commit b4fd8cd

Please sign in to comment.