fix(isLegitimatedForUserId): Setup mountpoints to check file access

This fixes workflows on groupfolders, as it will consider access to files in groupfolders. It also fixes false positives where access to files was limited by other means not taken into account before, e.g. access control. Fixes: nextcloud/flow_notifications#71 Signed-off-by: Jonas <jonas@freesources.org>
nextcloud · Sep 18, 2023 · 76a156d · 76a156d
1 parent e0c778f
commit 76a156d
Showing 1 changed file with 18 additions and 6 deletions.
diff --git a/apps/workflowengine/lib/Entity/File.php b/apps/workflowengine/lib/Entity/File.php
@@ -26,6 +26,7 @@
  */
 namespace OCA\WorkflowEngine\Entity;
 
+use OC\Files\Config\UserMountCache;
 use OCP\EventDispatcher\Event;
 use OCP\EventDispatcher\GenericEvent;
 use OCP\Files\InvalidPathException;
@@ -77,6 +78,8 @@ class File implements IEntity, IDisplayText, IUrl, IIcon, IContextPortation {
 	private $actingUser = null;
 	/** @var IUserManager */
 	private $userManager;
+	/** @var UserMountCache */
+	private $userMountCache;
 
 	public function __construct(
 		IL10N $l10n,
@@ -86,7 +89,8 @@ public function __construct(
 		ShareManager $shareManager,
 		IUserSession $userSession,
 		ISystemTagManager $tagManager,
-		IUserManager $userManager
+		IUserManager $userManager,
+		UserMountCache $userMountCache
 	) {
 		$this->l10n = $l10n;
 		$this->urlGenerator = $urlGenerator;
@@ -96,6 +100,7 @@ public function __construct(
 		$this->userSession = $userSession;
 		$this->tagManager = $tagManager;
 		$this->userManager = $userManager;
+		$this->userMountCache = $userMountCache;
 	}
 
 	public function getName(): string {
@@ -136,12 +141,19 @@ public function prepareRuleMatcher(IRuleMatcher $ruleMatcher, string $eventName,
 
 	public function isLegitimatedForUserId(string $uid): bool {
 		try {
-			$node = $this->getNode();
-			if ($node->getOwner()->getUID() === $uid) {
-				return true;
+			$fileId = $this->getNode()->getId();
+			$mounts = $this->userMountCache->getMountsForFileId($fileId);
+			foreach ($mounts as $mount) {
+				if ($mount->getUser()->getUID() !== $uid) {
+					continue;
+				}
+
+				$userFolder = $this->root->getUserFolder($uid);
+				if (!empty($userFolder->getById($fileId))) {
+					return true;
+				}
 			}
-			$acl = $this->shareManager->getAccessList($node, true, true);
-			return isset($acl['users']) && array_key_exists($uid, $acl['users']);
+			return false;
 		} catch (NotFoundException $e) {
 			return false;
 		}