fix(attachments): Don't allow selecting shared folders as attachment …

…folder Signed-off-by: Joas Schilling <coding@schilljs.com> [skip ci]
nextcloud · Jan 23, 2024 · d25cfd1 · d25cfd1
1 parent 1a15bac
commit d25cfd1
Show file tree

Hide file tree

Showing 7 changed files with 34 additions and 0 deletions.
diff --git a/lib/Controller/SettingsController.php b/lib/Controller/SettingsController.php
@@ -103,6 +103,9 @@ protected function validateUserSetting(string $setting, $value): bool {
 				if (!$node instanceof Folder) {
 					throw new NotPermittedException('Node is not a directory');
 				}
+				if ($node->isShared()) {
+					throw new NotPermittedException('Folder is shared');
+				}
 				return !$node->getStorage()->instanceOfStorage(SharedStorage::class);
 			} catch (NotFoundException $e) {
 				$userFolder->newFolder($value);

diff --git a/lib/Files/TemplateLoader.php b/lib/Files/TemplateLoader.php
@@ -39,6 +39,7 @@
 use OCP\IUser;
 use OCP\IUserSession;
 use OCP\Util;
+use Psr\Log\LoggerInterface;
 
 /**
  * Helper class to add the Talk UI to the sidebar of the Files app.

diff --git a/lib/PublicShare/TemplateLoader.php b/lib/PublicShare/TemplateLoader.php
@@ -36,6 +36,7 @@
 use OCP\ICacheFactory;
 use OCP\IConfig;
 use OCP\Util;
+use Psr\Log\LoggerInterface;
 
 /**
  * Helper class to extend the "publicshare" template from the server.

diff --git a/lib/PublicShareAuth/TemplateLoader.php b/lib/PublicShareAuth/TemplateLoader.php
@@ -35,6 +35,7 @@
 use OCP\ICacheFactory;
 use OCP\IConfig;
 use OCP\Util;
+use Psr\Log\LoggerInterface;
 
 /**
  * Helper class to extend the "publicshareauth" template from the server.

diff --git a/lib/Service/RecordingService.php b/lib/Service/RecordingService.php
@@ -190,6 +190,13 @@ private function getRecordingFolder(string $owner, string $token): Folder {
 		try {
 			/** @var \OCP\Files\Folder */
 			$recordingRootFolder = $userFolder->get($recordingRootFolderName);
+			if ($recordingRootFolder->isShared()) {
+				$this->logger->error('Talk attachment folder for user {userId} is set to a shared folder. Resetting to their root.', [
+					'userId' => $owner,
+				]);
+
+				$this->serverConfig->setUserValue($owner, 'spreed', 'attachment_folder', '/');
+			}
 		} catch (NotFoundException $e) {
 			/** @var \OCP\Files\Folder */
 			$recordingRootFolder = $userFolder->newFolder($recordingRootFolderName);

diff --git a/lib/TInitialState.php b/lib/TInitialState.php
@@ -34,6 +34,7 @@
 use OCP\IConfig;
 use OCP\IUser;
 use OCP\Util;
+use Psr\Log\LoggerInterface;
 
 trait TInitialState {
 	/** @var Config */
@@ -134,6 +135,12 @@ protected function publishInitialStateForUser(IUser $user, IRootFolder $rootFold
 				try {
 					try {
 						$folder = $userFolder->get($attachmentFolder);
+						if ($folder->isShared()) {
+							$this->logger->error('Talk attachment folder for user {userId} is set to a shared folder. Resetting to their root.', [
+								'userId' => $user->getUID(),
+							]);
+							throw new NotPermittedException('Folder is shared');
+						}
 					} catch (NotFoundException $e) {
 						$folder = $userFolder->newFolder($attachmentFolder);
 					}

diff --git a/tests/integration/features/sharing/settings.feature b/tests/integration/features/sharing/settings.feature
@@ -0,0 +1,14 @@
+Feature: sharing/settings
+
+  Background:
+    Given user "participant1" exists
+    Given user "participant2" exists
+
+  Scenario: Do not allow setting a shared folder as attachment_folder
+    Given user "participant1" creates folder "/test"
+    When user "participant1" sets setting "attachment_folder" to "/test" with 200 (v1)
+    Then user "participant1" has capability "spreed=>config=>attachments=>folder" set to "/test"
+    Given user "participant2" creates folder "/test-participant2"
+    Given user "participant2" shares "/test-participant2" with user "participant1" with OCS 100
+    When user "participant1" sets setting "attachment_folder" to "/test-participant2" with 400 (v1)
+    Then user "participant1" has capability "spreed=>config=>attachments=>folder" set to "/test"