Skip to content

Commit

Permalink
allow requesting capabilities from password protected links
Browse files Browse the repository at this point in the history
  • Loading branch information
fschade committed Feb 23, 2022
1 parent d92dc89 commit e870208
Show file tree
Hide file tree
Showing 3 changed files with 63 additions and 3 deletions.
7 changes: 7 additions & 0 deletions changelog/unreleased/fix-capabilities-for-public-links.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Bugfix: Capabilities for password protected public links

Allow password protected public links to request capabilities.

https://github.com/owncloud/ocis/pull/3229
https://github.com/owncloud/web/pull/6471
https://github.com/owncloud/web/issues/5863
22 changes: 19 additions & 3 deletions proxy/pkg/middleware/basic_auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -11,8 +11,6 @@ import (
"github.com/owncloud/ocis/proxy/pkg/webdav"
)

const publicFilesEndpoint = "/remote.php/dav/public-files/"

// BasicAuth provides a middleware to check if BasicAuth is provided
func BasicAuth(optionSetters ...Option) func(next http.Handler) http.Handler {
options := newOptions(optionSetters...)
Expand Down Expand Up @@ -111,7 +109,25 @@ type basicAuth struct {

func (m basicAuth) isPublicLink(req *http.Request) bool {
login, _, ok := req.BasicAuth()
return ok && login == "public" && strings.HasPrefix(req.URL.Path, publicFilesEndpoint)

if !ok || login != "public" {
return false
}

publicPaths := []string{
"/remote.php/dav/public-files/",
"/ocs/v1.php/cloud/capabilities",
}
isPublic := false

for _, p := range publicPaths {
if strings.HasPrefix(req.URL.Path, p) {
isPublic = true
break
}
}

return isPublic
}

// The token auth endpoint uses basic auth for clients, see https://openid.net/specs/openid-connect-basic-1_0.html#TokenRequest
Expand Down
37 changes: 37 additions & 0 deletions proxy/pkg/middleware/basic_auth_test.go
Original file line number Diff line number Diff line change
@@ -1,3 +1,40 @@
package middleware

import (
"net/http/httptest"
"testing"
)

/**/

func TestBasicAuth__isPublicLink(t *testing.T) {
tests := []struct {
url string
username string
expected bool
}{
{url: "/remote.php/dav/public-files/", username: "", expected: false},
{url: "/remote.php/dav/public-files/", username: "abc", expected: false},
{url: "/remote.php/dav/public-files/", username: "private", expected: false},
{url: "/remote.php/dav/public-files/", username: "public", expected: true},
{url: "/ocs/v1.php/cloud/capabilities", username: "", expected: false},
{url: "/ocs/v1.php/cloud/capabilities", username: "abc", expected: false},
{url: "/ocs/v1.php/cloud/capabilities", username: "private", expected: false},
{url: "/ocs/v1.php/cloud/capabilities", username: "public", expected: true},
{url: "/ocs/v1.php/cloud/users/admin", username: "public", expected: false},
}
ba := basicAuth{}

for _, tt := range tests {
req := httptest.NewRequest("", tt.url, nil)

if tt.username != "" {
req.SetBasicAuth(tt.username, "")
}

result := ba.isPublicLink(req)
if result != tt.expected {
t.Errorf("with %s expected %t got %t", tt.url, tt.expected, result)
}
}
}

0 comments on commit e870208

Please sign in to comment.