upstream/nextcloud
1
0
Fork 0
mirror of https://github.com/nextcloud/server.git synced 2026-05-13 08:59:42 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions 9

Check node permissions when restoring a version

Browse source 
Signed-off-by: Louis Chemineau <louis@chmn.me>
This commit is contained in:
Louis Chemineau 2024-02-27 15:51:25 +01:00
parent 941dee9df1
commit db2085cc07
No known key found for this signature in database
1 changed files with 29 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
apps/files_versions/lib/Versions/LegacyVersionsBackend.php
View file

@ -27,6 +27,7 @@ declare(strict_types=1);
namespace OCA\Files_Versions\Versions;
use OC\Files\View;
use OCA\DAV\Connector\Sabre\Exception\Forbidden;
use OCA\Files_Sharing\SharedStorage;
use OCA\Files_Versions\Storage;
use OCP\Files\File;
@ -37,16 +38,20 @@ use OCP\Files\NotFoundException;
use OCP\Files\Storage\IStorage;
use OCP\IUser;
use OCP\IUserManager;
use OCP\IUserSession;
class LegacyVersionsBackend implements IVersionBackend {
/** @var IRootFolder */
private $rootFolder;
/** @var IUserManager */
private $userManager;
/** @var IUserSession */
private $userSession;
public function __construct(IRootFolder $rootFolder, IUserManager $userManager) {
public function __construct(IRootFolder $rootFolder, IUserManager $userManager, IUserSession $userSession) {
$this->rootFolder = $rootFolder;
$this->userManager = $userManager;
$this->userSession = $userSession;
}
public function useBackendForStorage(IStorage $storage): bool {
@ -96,6 +101,10 @@ class LegacyVersionsBackend implements IVersionBackend {
}
public function rollback(IVersion $version) {
if (!$this->currentUserHasPermissions($version, \OCP\Constants::PERMISSION_UPDATE)) {
throw new Forbidden('You cannot restore this version because you do not have update permissions on the source file.');
}
return Storage::rollback($version->getVersionPath(), $version->getRevisionId(), $version->getUser());
}
@ -125,4 +134,23 @@ class LegacyVersionsBackend implements IVersionBackend {
$file = $versionFolder->get($userFolder->getRelativePath($sourceFile->getPath()) . '.v' . $revision);
return $file;
}
private function currentUserHasPermissions(IVersion $version, int $permissions): bool {
$sourceFile = $version->getSourceFile();
$currentUserId = $this->userSession->getUser()->getUID();
if ($currentUserId === null) {
throw new NotFoundException("No user logged in");
}
if ($sourceFile->getOwner()->getUID() !== $currentUserId) {
$nodes = $this->rootFolder->getUserFolder($currentUserId)->getById($sourceFile->getId());
$sourceFile = array_pop($nodes);
if (!$sourceFile) {
throw new NotFoundException("Version file not accessible by current user");
}
}
return ($sourceFile->getPermissions() & $permissions) === $permissions;
}
}