Merge pull request #10136 from kobergj/ForbidActivitiesForSharees

[full-ci] Forbid Sharee access to Activities
owncloud · Sep 23, 2024 · 8344424 · 8344424
2 parents 0d0c633 + e2e8032
commit 8344424
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/changelog/unreleased/forbid-activities-for-sharees.md b/changelog/unreleased/forbid-activities-for-sharees.md
@@ -0,0 +1,5 @@
+Bugfix: Forbid Activities for Sharees
+
+Sharees may not see item activities. We now bind it to ListGrants permission.
+
+https://github.com/owncloud/ocis/pull/10136
diff --git a/services/activitylog/pkg/service/http.go b/services/activitylog/pkg/service/http.go
@@ -67,12 +67,18 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
-	_, err = utils.GetResourceByID(ctx, rid, gwc)
+	info, err := utils.GetResourceByID(ctx, rid, gwc)
 	if err != nil {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
 
+	// you need ListGrants to see activities
+	if !info.GetPermissionSet().GetListGrants() {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	raw, err := s.Activities(rid)
 	if err != nil {
 		s.log.Error().Err(err).Msg("error getting activities")