Skip to content

Commit

Permalink
Merge pull request #43739 from nextcloud/backport/43727/stable26
Browse files Browse the repository at this point in the history
  • Loading branch information
skjnldsv authored Feb 22, 2024
2 parents 33cecc3 + c70b869 commit 202428b
Show file tree
Hide file tree
Showing 11 changed files with 123 additions and 19 deletions.
2 changes: 1 addition & 1 deletion apps/dav/lib/Connector/Sabre/ServerFactory.php
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,7 @@ public function createServer(string $baseUri,

// Allow view-only plugin for webdav requests
$server->addPlugin(new ViewOnlyPlugin(
$this->logger
$userFolder,
));

if ($this->userSession->isLoggedIn()) {
Expand Down
20 changes: 16 additions & 4 deletions apps/dav/lib/DAV/ViewOnlyPlugin.php
Original file line number Diff line number Diff line change
Expand Up @@ -24,8 +24,8 @@
use OCA\DAV\Connector\Sabre\Exception\Forbidden;
use OCA\DAV\Connector\Sabre\File as DavFile;
use OCA\Files_Versions\Sabre\VersionFile;
use OCP\Files\Folder;
use OCP\Files\NotFoundException;
use Psr\Log\LoggerInterface;
use Sabre\DAV\Server;
use Sabre\DAV\ServerPlugin;
use Sabre\HTTP\RequestInterface;
Expand All @@ -36,10 +36,12 @@
*/
class ViewOnlyPlugin extends ServerPlugin {
private ?Server $server = null;
private LoggerInterface $logger;
private ?Folder $userFolder;

public function __construct(LoggerInterface $logger) {
$this->logger = $logger;
public function __construct(
?Folder $userFolder,
) {
$this->userFolder = $userFolder;
}

/**
Expand Down Expand Up @@ -76,6 +78,16 @@ public function checkViewOnly(RequestInterface $request): bool {
$node = $davNode->getNode();
} else if ($davNode instanceof VersionFile) {
$node = $davNode->getVersion()->getSourceFile();
$currentUserId = $this->userFolder?->getOwner()?->getUID();
// The version source file is relative to the owner storage.
// But we need the node from the current user perspective.
if ($node->getOwner()->getUID() !== $currentUserId) {
$nodes = $this->userFolder->getById($node->getId());
$node = array_pop($nodes);
if (!$node) {
throw new NotFoundException("Version file not accessible by current user");
}
}
} else {
return true;
}
Expand Down
2 changes: 1 addition & 1 deletion apps/dav/lib/Server.php
Original file line number Diff line number Diff line change
Expand Up @@ -238,7 +238,7 @@ public function __construct(IRequest $request, string $baseUri) {

// Allow view-only plugin for webdav requests
$this->server->addPlugin(new ViewOnlyPlugin(
$logger
\OC::$server->getUserFolder(),
));

if (BrowserErrorPagePlugin::isBrowserRequest($request)) {
Expand Down
28 changes: 26 additions & 2 deletions apps/dav/tests/unit/DAV/ViewOnlyPluginTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,10 +26,11 @@
use OCA\Files_Versions\Versions\IVersion;
use OCA\Files_Versions\Sabre\VersionFile;
use OCP\Files\File;
use OCP\Files\Folder;
use OCP\Files\Storage\IStorage;
use OCP\IUser;
use OCP\Share\IAttributes;
use OCP\Share\IShare;
use Psr\Log\LoggerInterface;
use Sabre\DAV\Server;
use Sabre\DAV\Tree;
use Test\TestCase;
Expand All @@ -43,10 +44,13 @@ class ViewOnlyPluginTest extends TestCase {
private $tree;
/** @var RequestInterface | \PHPUnit\Framework\MockObject\MockObject */
private $request;
/** @var Folder | \PHPUnit\Framework\MockObject\MockObject */
private $userFolder;

public function setUp(): void {
$this->userFolder = $this->createMock(Folder::class);
$this->plugin = new ViewOnlyPlugin(
$this->createMock(LoggerInterface::class)
$this->userFolder,
);
$this->request = $this->createMock(RequestInterface::class);
$this->tree = $this->createMock(Tree::class);
Expand Down Expand Up @@ -111,6 +115,26 @@ public function testCanGet(bool $isVersion, ?bool $attrEnabled, bool $expectCanD
$davNode->expects($this->once())
->method('getVersion')
->willReturn($version);

$currentUser = $this->createMock(IUser::class);
$currentUser->expects($this->once())
->method('getUID')
->willReturn('alice');
$nodeInfo->expects($this->once())
->method('getOwner')
->willReturn($currentUser);

$nodeInfo = $this->createMock(File::class);
$owner = $this->createMock(IUser::class);
$owner->expects($this->once())
->method('getUID')
->willReturn('bob');
$this->userFolder->expects($this->once())
->method('getById')
->willReturn([$nodeInfo]);
$this->userFolder->expects($this->once())
->method('getOwner')
->willReturn($owner);
} else {
$davPath = 'files/path/to/file.odt';
$davNode = $this->createMock(DavFile::class);
Expand Down
1 change: 1 addition & 0 deletions apps/dav/tests/unit/ServerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@ public function test($uri, array $plugins): void {
/** @var IRequest | \PHPUnit\Framework\MockObject\MockObject $r */
$r = $this->createMock(IRequest::class);
$r->expects($this->any())->method('getRequestUri')->willReturn($uri);
$this->loginAsUser('admin');
$s = new Server($r, '/');
$this->assertNotNull($s->server);
foreach ($plugins as $plugin) {
Expand Down
38 changes: 37 additions & 1 deletion apps/files_versions/lib/Versions/LegacyVersionsBackend.php
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
namespace OCA\Files_Versions\Versions;

use OC\Files\View;
use OCA\DAV\Connector\Sabre\Exception\Forbidden;
use OCA\Files_Sharing\SharedStorage;
use OCA\Files_Versions\Db\VersionEntity;
use OCA\Files_Versions\Db\VersionsMapper;
Expand All @@ -41,23 +42,27 @@
use OCP\Files\Storage\IStorage;
use OCP\IUser;
use OCP\IUserManager;
use OCP\IUserSession;

class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend, IDeletableVersionBackend {
private IRootFolder $rootFolder;
private IUserManager $userManager;
private VersionsMapper $versionsMapper;
private IMimeTypeLoader $mimeTypeLoader;
private IUserSession $userSession;

public function __construct(
IRootFolder $rootFolder,
IUserManager $userManager,
VersionsMapper $versionsMapper,
IMimeTypeLoader $mimeTypeLoader
IMimeTypeLoader $mimeTypeLoader,
IUserSession $userSession,
) {
$this->rootFolder = $rootFolder;
$this->userManager = $userManager;
$this->versionsMapper = $versionsMapper;
$this->mimeTypeLoader = $mimeTypeLoader;
$this->userSession = $userSession;
}

public function useBackendForStorage(IStorage $storage): bool {
Expand Down Expand Up @@ -171,6 +176,10 @@ public function createVersion(IUser $user, FileInfo $file) {
}

public function rollback(IVersion $version) {
if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
}

return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
}

Expand Down Expand Up @@ -202,6 +211,10 @@ public function getVersionFile(IUser $user, FileInfo $sourceFile, $revision): Fi
}

public function setVersionLabel(IVersion $version, string $label): void {
if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
throw new Forbidden('You cannot label this version because you do not have update permissions on the source file.');
}

$versionEntity = $this->versionsMapper->findVersionForFileId(
$version->getSourceFile()->getId(),
$version->getTimestamp(),
Expand All @@ -214,11 +227,34 @@ public function setVersionLabel(IVersion $version, string $label): void {
}

public function deleteVersion(IVersion $version): void {
if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_DELETE)) {
throw new Forbidden('You cannot delete this version because you do not have delete permissions on the source file.');
}

Storage::deleteRevision($version->getVersionPath(), $version->getRevisionId());
$versionEntity = $this->versionsMapper->findVersionForFileId(
$version->getSourceFile()->getId(),
$version->getTimestamp(),
);
$this->versionsMapper->delete($versionEntity);
}

private function currentUserHasPermissions(IVersion $version, int $permissions): bool {
$sourceFile = $version->getSourceFile();
$currentUserId = $this->userSession->getUser()?->getUID();

if ($currentUserId === null) {
throw new NotFoundException("No user logged in");
}

if ($sourceFile->getOwner()?->getUID() !== $currentUserId) {
$nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId());
$sourceFile = array_pop($nodes);
if (!$sourceFile) {
throw new NotFoundException("Version file not accessible by current user");
}
}

return ($sourceFile->getPermissions() & $permissions) === $permissions;
}
}
39 changes: 35 additions & 4 deletions apps/files_versions/src/components/Version.vue
Original file line number Diff line number Diff line change
Expand Up @@ -42,31 +42,32 @@
</div>
</template>
<template #actions>
<NcActionButton v-if="capabilities.files.version_labeling === true"
<NcActionButton v-if="capabilities.files.version_labeling === true && hasUpdatePermissions"
:close-after-click="true"
@click="openVersionLabelModal">
<template #icon>
<Pencil :size="22" />
</template>
{{ version.label === '' ? t('files_versions', 'Name this version') : t('files_versions', 'Edit version name') }}
</NcActionButton>
<NcActionButton v-if="!isCurrent"
<NcActionButton v-if="!isCurrent && hasUpdatePermissions"
:close-after-click="true"
@click="restoreVersion">
<template #icon>
<BackupRestore :size="22" />
</template>
{{ t('files_versions', 'Restore version') }}
</NcActionButton>
<NcActionLink :href="downloadURL"
<NcActionLink v-if="isDownloadable"
:href="downloadURL"
:close-after-click="true"
:download="downloadURL">
<template #icon>
<Download :size="22" />
</template>
{{ t('files_versions', 'Download version') }}
</NcActionLink>
<NcActionButton v-if="!isCurrent && capabilities.files.version_deletion === true"
<NcActionButton v-if="!isCurrent && capabilities.files.version_deletion === true && hasDeletePermissions"
:close-after-click="true"
@click="deleteVersion">
<template #icon>
Expand Down Expand Up @@ -123,6 +124,9 @@ import { joinPaths } from '@nextcloud/paths'
import { generateUrl, getRootUrl } from '@nextcloud/router'
import { loadState } from '@nextcloud/initial-state'
import { emit } from '@nextcloud/event-bus'
import { Permission } from '@nextcloud/files'

import { hasPermissions } from '../../../files_sharing/src/lib/SharePermissionsToolBox.js'

export default {
name: 'Version',
Expand Down Expand Up @@ -237,6 +241,33 @@ export default {
formattedDate() {
return moment(this.version.mtime).format('LLL')
},

/** @return {boolean} */
hasDeletePermissions() {
return hasPermissions(this.fileInfo.permissions, Permission.DELETE)
},

/** @return {boolean} */
hasUpdatePermissions() {
return hasPermissions(this.fileInfo.permissions, Permission.UPDATE)
},

/** @return {boolean} */
isDownloadable() {
if ((this.fileInfo.permissions & Permission.READ) === 0) {
return false
}

// If the mount type is a share, ensure it got download permissions.
if (this.fileInfo.mountType === 'shared') {
const downloadAttribute = this.fileInfo.shareAttributes.find((attribute) => attribute.scope === 'permissions' && attribute.key === 'download')
if (downloadAttribute !== undefined && downloadAttribute.enabled === false) {
return false
}
}

return true
},
},
methods: {
openVersion(e) {
Expand Down
4 changes: 2 additions & 2 deletions dist/core-common.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/core-common.js.map

Large diffs are not rendered by default.

4 changes: 2 additions & 2 deletions dist/files_versions-files_versions.js

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion dist/files_versions-files_versions.js.map

Large diffs are not rendered by default.

0 comments on commit 202428b

Please sign in to comment.