mirror of
https://github.com/nextcloud/server.git
synced 2026-04-15 22:11:17 -04:00
Check node permissions when deleting a version
Signed-off-by: Louis Chemineau <louis@chmn.me>
This commit is contained in:
Louis Chemineau
parent
5606cadae7
commit
b48b153ac6
1 changed files with 29 additions and 1 deletions
|
|
@ -27,6 +27,7 @@ declare(strict_types=1);
|
|||
namespace OCA\Files_Versions\Versions;
|
||||
|
||||
use OC\Files\View;
|
||||
use OCA\DAV\Connector\Sabre\Exception\Forbidden;
|
||||
use OCA\Files_Sharing\ISharedStorage;
|
||||
use OCA\Files_Sharing\SharedStorage;
|
||||
use OCA\Files_Versions\Db\VersionEntity;
|
||||
|
|
@ -42,23 +43,27 @@ use OCP\Files\NotFoundException;
|
|||
use OCP\Files\Storage\IStorage;
|
||||
use OCP\IUser;
|
||||
use OCP\IUserManager;
|
||||
use OCP\IUserSession;
|
||||
|
||||
class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend, IDeletableVersionBackend, INeedSyncVersionBackend {
|
||||
private IRootFolder $rootFolder;
|
||||
private IUserManager $userManager;
|
||||
private VersionsMapper $versionsMapper;
|
||||
private IMimeTypeLoader $mimeTypeLoader;
|
||||
private IUserSession $userSession;
|
||||
|
||||
public function __construct(
|
||||
IRootFolder $rootFolder,
|
||||
IUserManager $userManager,
|
||||
VersionsMapper $versionsMapper,
|
||||
IMimeTypeLoader $mimeTypeLoader
|
||||
IMimeTypeLoader $mimeTypeLoader,
|
||||
IUserSession $userSession,
|
||||
) {
|
||||
$this->rootFolder = $rootFolder;
|
||||
$this->userManager = $userManager;
|
||||
$this->versionsMapper = $versionsMapper;
|
||||
$this->mimeTypeLoader = $mimeTypeLoader;
|
||||
$this->userSession = $userSession;
|
||||
}
|
||||
|
||||
public function useBackendForStorage(IStorage $storage): bool {
|
||||
|
|
@ -232,6 +237,10 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
|
|||
}
|
||||
|
||||
public function deleteVersion(IVersion $version): void {
|
||||
if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_DELETE)) {
|
||||
throw new Forbidden('You cannot delete this version because you do not have delete permissions on the source file.');
|
||||
}
|
||||
|
||||
Storage::deleteRevision($version->getVersionPath(), $version->getRevisionId());
|
||||
$versionEntity = $this->versionsMapper->findVersionForFileId(
|
||||
$version->getSourceFile()->getId(),
|
||||
|
|
@ -271,4 +280,23 @@ class LegacyVersionsBackend implements IVersionBackend, INameableVersionBackend,
|
|||
public function deleteVersionsEntity(File $file): void {
|
||||
$this->versionsMapper->deleteAllVersionsForFileId($file->getId());
|
||||
}
|
||||
|
||||
private function currentUserHasPermissions(IVersion $version, int $permissions): bool {
|
||||
$sourceFile = $version->getSourceFile();
|
||||
$currentUserId = $this->userSession->getUser()?->getUID();
|
||||
|
||||
if ($currentUserId === null) {
|
||||
throw new NotFoundException("No user logged in");
|
||||
}
|
||||
|
||||
if ($sourceFile->getOwner()?->getUID() !== $currentUserId) {
|
||||
$nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId());
|
||||
$sourceFile = array_pop($nodes);
|
||||
if (!$sourceFile) {
|
||||
throw new NotFoundException("Version file not accessible by current user");
|
||||
}
|
||||
}
|
||||
|
||||
return ($sourceFile->getPermissions() & $permissions) === $permissions;
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in a new issue