Skip to content

Commit

Permalink
WIP: fix(isLegitimatedForUserId): Setup mountpoints to check file access
Browse files Browse the repository at this point in the history
This fixes workflows on groupfolders, as it will consider access to
files in groupfolders.

It also fixes false positives where access to files was limited by other
means not taken into account before, e.g. access control.

Fixes: nextcloud/flow_notifications#71

TODO:
* [ ] Remove obsolete code that uses `shareManager`
* [ ] Maybe also remove check for file owner (?)

Signed-off-by: Jonas <jonas@freesources.org>
  • Loading branch information
mejo- committed Sep 18, 2023
1 parent e0c778f commit fe3d6f4
Showing 1 changed file with 28 additions and 2 deletions.
30 changes: 28 additions & 2 deletions apps/workflowengine/lib/Entity/File.php
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
*/
namespace OCA\WorkflowEngine\Entity;

use OC\Files\Config\UserMountCache;
use OCP\EventDispatcher\Event;
use OCP\EventDispatcher\GenericEvent;
use OCP\Files\InvalidPathException;
Expand Down Expand Up @@ -77,6 +78,8 @@ class File implements IEntity, IDisplayText, IUrl, IIcon, IContextPortation {
private $actingUser = null;
/** @var IUserManager */
private $userManager;
/** @var UserMountCache */
private $userMountCache;

public function __construct(
IL10N $l10n,
Expand All @@ -86,7 +89,8 @@ public function __construct(
ShareManager $shareManager,
IUserSession $userSession,
ISystemTagManager $tagManager,
IUserManager $userManager
IUserManager $userManager,
UserMountCache $userMountCache
) {
$this->l10n = $l10n;
$this->urlGenerator = $urlGenerator;
Expand All @@ -96,6 +100,7 @@ public function __construct(
$this->userSession = $userSession;
$this->tagManager = $tagManager;
$this->userManager = $userManager;
$this->userMountCache = $userMountCache;
}

public function getName(): string {
Expand Down Expand Up @@ -137,11 +142,32 @@ public function prepareRuleMatcher(IRuleMatcher $ruleMatcher, string $eventName,
public function isLegitimatedForUserId(string $uid): bool {
try {
$node = $this->getNode();
// Is owner
if ($node->getOwner()->getUID() === $uid) {

Check notice

Code scanning / Psalm

PossiblyNullReference Note

Cannot call method getUID on possibly null value
return true;
}
// Has access to file
$fileId = $node->getId();
$mounts = $this->userMountCache->getMountsForFileId($fileId);
foreach ($mounts as $mount) {
$mountUID = $mount->getUser()->getUID();
if ($mountUID !== $uid) {
continue;
}

$userFolder = $this->root->getUserFolder($uid);
if (!empty($userFolder->getById($fileId))) {
return true;
}
}
// Has access to share
/*
$acl = $this->shareManager->getAccessList($node, true, true);
return isset($acl['users']) && array_key_exists($uid, $acl['users']);
if (isset($acl['users']) && array_key_exists($uid, $acl['users'])) {
return true;
}
*/
return false;
} catch (NotFoundException $e) {
return false;
}
Expand Down

0 comments on commit fe3d6f4

Please sign in to comment.