diff --git a/changelog/unreleased/bump-reva.md b/changelog/unreleased/bump-reva.md new file mode 100644 index 00000000000..f18e03f084a --- /dev/null +++ b/changelog/unreleased/bump-reva.md @@ -0,0 +1,8 @@ +Bugfix: Update reva to v2.19.5 + +We updated reva to v2.19.5 + +* Bugfix [cs3org/reva#4626](https://github.com/cs3org/reva/pull/4626): Fix public share update +* Bugfix [cs3org/reva#4634](https://github.com/cs3org/reva/pull/4634): Fix access to files withing a public link targeting a space root + +https://github.com/owncloud/ocis/pull/8873 diff --git a/changelog/unreleased/fix-adding-wopi-doc-on-public-share.md b/changelog/unreleased/fix-adding-wopi-doc-on-public-share.md new file mode 100644 index 00000000000..5c901ab5533 --- /dev/null +++ b/changelog/unreleased/fix-adding-wopi-doc-on-public-share.md @@ -0,0 +1,7 @@ +Bugfix: Fix creating new WOPI documents on public shares + +Creating a new Office document in a publicly shared folder is now possible. + +https://github.com/owncloud/ocis/pull/8828 +https://github.com/owncloud/ocis/issues/8691 + diff --git a/go.mod b/go.mod index 15ff4d4d2a6..c08e1480628 100644 --- a/go.mod +++ b/go.mod @@ -13,7 +13,7 @@ require ( github.com/cenkalti/backoff v2.2.1+incompatible github.com/coreos/go-oidc/v3 v3.9.0 github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 - github.com/cs3org/reva/v2 v2.19.4 + github.com/cs3org/reva/v2 v2.19.5 github.com/dhowden/tag v0.0.0-20230630033851-978a0926ee25 github.com/disintegration/imaging v1.6.2 github.com/dutchcoders/go-clamd v0.0.0-20170520113014-b970184f4d9e diff --git a/go.sum b/go.sum index 2721eebd1b7..9230fc802d0 100644 --- a/go.sum +++ b/go.sum @@ -1019,8 +1019,8 @@ github.com/crewjam/saml v0.4.14 h1:g9FBNx62osKusnFzs3QTN5L9CVA/Egfgm+stJShzw/c= github.com/crewjam/saml v0.4.14/go.mod h1:UVSZCf18jJkk6GpWNVqcyQJMD5HsRugBPf4I1nl2mME= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781 h1:BUdwkIlf8IS2FasrrPg8gGPHQPOrQ18MS1Oew2tmGtY= github.com/cs3org/go-cs3apis v0.0.0-20231023073225-7748710e0781/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY= -github.com/cs3org/reva/v2 v2.19.4 h1:gOcV6cgV+es624ckLUkXWL9mbHZpPXEgsa83/YA6WYA= -github.com/cs3org/reva/v2 v2.19.4/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= +github.com/cs3org/reva/v2 v2.19.5 h1:Qh38wpPovnb0jPpgGR6L6HfbQ8vwObcrB8yUCRJldSw= +github.com/cs3org/reva/v2 v2.19.5/go.mod h1:GRUrOp5HbFVwZTgR9bVrMZ/MvVy+Jhxw1PdMmhhKP9E= github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= diff --git a/services/proxy/pkg/middleware/public_share_auth.go b/services/proxy/pkg/middleware/public_share_auth.go index f66e030a006..403d5d598bb 100644 --- a/services/proxy/pkg/middleware/public_share_auth.go +++ b/services/proxy/pkg/middleware/public_share_auth.go @@ -44,7 +44,7 @@ func isPublicShareArchive(r *http.Request) bool { // The app open requests can also be made in authenticated context. In these cases the PublicShareAuthenticator // needs to ignore the request. func isPublicShareAppOpen(r *http.Request) bool { - return strings.HasPrefix(r.URL.Path, "/app/open") && + return (strings.HasPrefix(r.URL.Path, "/app/open") || strings.HasPrefix(r.URL.Path, "/app/new")) && (r.URL.Query().Get(headerShareToken) != "" || r.Header.Get(headerShareToken) != "") } diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go index 1b5edd9f206..5cb6183c618 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/interceptors/auth/scope.go @@ -264,7 +264,15 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent if statResponse.Status.Code != rpc.Code_CODE_OK { return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor") } - parentPath := statResponse.Info.Path + + pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: statResponse.GetInfo().GetId()}) + if err != nil { + return false, err + } + if pathResp.Status.Code != rpc.Code_CODE_OK { + return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor") + } + parentPath := pathResp.Path childPath := ref.GetPath() if childPath != "" && childPath != "." && strings.HasPrefix(childPath, parentPath) { @@ -308,7 +316,7 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent if childStat.Status.Code != rpc.Code_CODE_OK { return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor") } - pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()}) + pathResp, err = client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()}) if err != nil { return false, err } diff --git a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go index 3df749f8823..a18401b5c23 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go +++ b/vendor/github.com/cs3org/reva/v2/internal/grpc/services/publicshareprovider/publicshareprovider.go @@ -554,12 +554,24 @@ func (s *service) UpdatePublicShare(ctx context.Context, req *link.UpdatePublicS } updatePassword := req.GetUpdate().GetType() == link.UpdatePublicShareRequest_Update_TYPE_PASSWORD setPassword := grant.GetPassword() + + // we update permissions with an empty password and password is not set on the public share + emptyPasswordInPermissionUpdate := len(setPassword) == 0 && updatePermissions && !ps.PasswordProtected + + // password is updated, we use the current permissions to check if the user can opt out if updatePassword && !isInternalLink && enforcePassword(canOptOut, ps.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 { return &link.UpdatePublicShareResponse{ Status: status.NewInvalidArg(ctx, "password protection is enforced"), }, nil } + // permissions are updated, we use the new permissions to check if the user can opt out + if emptyPasswordInPermissionUpdate && !isInternalLink && enforcePassword(canOptOut, grant.GetPermissions().GetPermissions(), s.conf) && len(setPassword) == 0 { + return &link.UpdatePublicShareResponse{ + Status: status.NewInvalidArg(ctx, "password protection is enforced"), + }, nil + } + // validate password policy if updatePassword && len(setPassword) > 0 { if err := s.passwordValidator.Validate(setPassword); err != nil { diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go index 8036066657b..ecb3c20bc7c 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/archiver/manager/archiver.go @@ -29,6 +29,7 @@ import ( provider "github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1" "github.com/cs3org/reva/v2/pkg/storage/utils/downloader" "github.com/cs3org/reva/v2/pkg/storage/utils/walker" + "github.com/cs3org/reva/v2/pkg/utils" ) // Config is the config for the Archiver @@ -77,7 +78,7 @@ func (a *Archiver) CreateTar(ctx context.Context, dst io.Writer) (func(), error) } // when archiving a space we can omit the spaceroot - if isSpaceRoot(info) { + if utils.IsSpaceRoot(info) { return nil } @@ -152,7 +153,7 @@ func (a *Archiver) CreateZip(ctx context.Context, dst io.Writer) (func(), error) } // when archiving a space we can omit the spaceroot - if isSpaceRoot(info) { + if utils.IsSpaceRoot(info) { return nil } @@ -205,9 +206,3 @@ func (a *Archiver) CreateZip(ctx context.Context, dst io.Writer) (func(), error) } return closer, nil } - -func isSpaceRoot(info *provider.ResourceInfo) bool { - f := info.GetId() - s := info.GetSpace().GetRoot() - return f.GetOpaqueId() == s.GetOpaqueId() && f.GetSpaceId() == s.GetSpaceId() -} diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go index 166c110f3f0..bb7b4cd6b36 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/copy.go @@ -610,7 +610,7 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re errors.HandleErrorStatus(log, w, srcStatRes.Status) return nil } - if isSpaceRoot(srcStatRes.GetInfo()) { + if utils.IsSpaceRoot(srcStatRes.GetInfo()) { log.Error().Msg("the source is disallowed") w.WriteHeader(http.StatusBadRequest) return nil @@ -632,7 +632,7 @@ func (s *svc) prepareCopy(ctx context.Context, w http.ResponseWriter, r *http.Re if dstStatRes.Status.Code == rpc.Code_CODE_OK { successCode = http.StatusNoContent // 204 if target already existed, see https://tools.ietf.org/html/rfc4918#section-9.8.5 - if isSpaceRoot(dstStatRes.GetInfo()) { + if utils.IsSpaceRoot(dstStatRes.GetInfo()) { log.Error().Msg("overwriting is not allowed") w.WriteHeader(http.StatusBadRequest) return nil diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go index 4706d20e9d5..60516979e49 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/move.go @@ -196,7 +196,7 @@ func (s *svc) handleMove(ctx context.Context, w http.ResponseWriter, r *http.Req errors.HandleErrorStatus(&log, w, srcStatRes.Status) return } - if isSpaceRoot(srcStatRes.GetInfo()) { + if utils.IsSpaceRoot(srcStatRes.GetInfo()) { log.Error().Msg("the source is disallowed") w.WriteHeader(http.StatusBadRequest) return @@ -219,7 +219,7 @@ func (s *svc) handleMove(ctx context.Context, w http.ResponseWriter, r *http.Req if dstStatRes.Status.Code == rpc.Code_CODE_OK { successCode = http.StatusNoContent // 204 if target already existed, see https://tools.ietf.org/html/rfc4918#section-9.9.4 - if isSpaceRoot(dstStatRes.GetInfo()) { + if utils.IsSpaceRoot(dstStatRes.GetInfo()) { log.Error().Msg("overwriting is not allowed") w.WriteHeader(http.StatusBadRequest) return diff --git a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go index 509a6ea633f..d3cab17bec9 100644 --- a/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go +++ b/vendor/github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/ocdav.go @@ -418,9 +418,3 @@ func (s *svc) referenceIsChildOf(ctx context.Context, selector pool.Selectable[g pp := path.Join(parentPathRes.Path, parent.Path) + "/" return strings.HasPrefix(cp, pp), nil } - -func isSpaceRoot(info *provider.ResourceInfo) bool { - f := info.GetId() - s := info.GetSpace().GetRoot() - return f.GetOpaqueId() == s.GetOpaqueId() && f.GetSpaceId() == s.GetSpaceId() -} diff --git a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go index d363d9f2da6..075aee2128f 100644 --- a/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go +++ b/vendor/github.com/cs3org/reva/v2/pkg/utils/grpc.go @@ -201,6 +201,13 @@ func IsStatusCodeError(err error, code rpc.Code) bool { return sce.code == code } +// IsSpaceRoot checks if the given resource info is referring to a space root +func IsSpaceRoot(ri *storageprovider.ResourceInfo) bool { + f := ri.GetId() + s := ri.GetSpace().GetRoot() + return f.GetOpaqueId() == s.GetOpaqueId() && f.GetSpaceId() == s.GetSpaceId() +} + func checkStatusCode(reason string, code rpc.Code) error { if code == rpc.Code_CODE_OK { return nil diff --git a/vendor/modules.txt b/vendor/modules.txt index 5e24b61df5f..e83f4f2ccde 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -359,7 +359,7 @@ github.com/cs3org/go-cs3apis/cs3/storage/provider/v1beta1 github.com/cs3org/go-cs3apis/cs3/storage/registry/v1beta1 github.com/cs3org/go-cs3apis/cs3/tx/v1beta1 github.com/cs3org/go-cs3apis/cs3/types/v1beta1 -# github.com/cs3org/reva/v2 v2.19.4 +# github.com/cs3org/reva/v2 v2.19.5 ## explicit; go 1.21 github.com/cs3org/reva/v2/cmd/revad/internal/grace github.com/cs3org/reva/v2/cmd/revad/runtime