From e2e80326fd422704bcd6e4cb8c95babe6c83cd77 Mon Sep 17 00:00:00 2001
From: jkoberg <jkoberg@owncloud.com>
Date: Mon, 23 Sep 2024 15:01:14 +0200
Subject: [PATCH] fix(activitylog): forbid sharees access to activities

Signed-off-by: jkoberg <jkoberg@owncloud.com>
---
 changelog/unreleased/forbid-activities-for-sharees.md | 5 +++++
 services/activitylog/pkg/service/http.go              | 8 +++++++-
 2 files changed, 12 insertions(+), 1 deletion(-)
 create mode 100644 changelog/unreleased/forbid-activities-for-sharees.md

diff --git a/changelog/unreleased/forbid-activities-for-sharees.md b/changelog/unreleased/forbid-activities-for-sharees.md
new file mode 100644
index 00000000000..ca7d7620539
--- /dev/null
+++ b/changelog/unreleased/forbid-activities-for-sharees.md
@@ -0,0 +1,5 @@
+Bugfix: Forbid Activities for Sharees
+
+Sharees may not see item activities. We now bind it to ListGrants permission.
+
+https://github.com/owncloud/ocis/pull/10136
diff --git a/services/activitylog/pkg/service/http.go b/services/activitylog/pkg/service/http.go
index 543c85e0e2a..3405d82e0f9 100644
--- a/services/activitylog/pkg/service/http.go
+++ b/services/activitylog/pkg/service/http.go
@@ -67,12 +67,18 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
 		return
 	}
 
-	_, err = utils.GetResourceByID(ctx, rid, gwc)
+	info, err := utils.GetResourceByID(ctx, rid, gwc)
 	if err != nil {
 		w.WriteHeader(http.StatusForbidden)
 		return
 	}
 
+	// you need ListGrants to see activities
+	if !info.GetPermissionSet().GetListGrants() {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	raw, err := s.Activities(rid)
 	if err != nil {
 		s.log.Error().Err(err).Msg("error getting activities")