Merge pull request #6856 from owncloud/fixing-gallery-password-protected-access-master
adding password protection check to getShareByToken()
This commit is contained in:
commit
9851727b0d
|
@ -35,7 +35,7 @@ function determineIcon($file, $sharingRoot, $sharingToken) {
|
||||||
|
|
||||||
if (isset($_GET['t'])) {
|
if (isset($_GET['t'])) {
|
||||||
$token = $_GET['t'];
|
$token = $_GET['t'];
|
||||||
$linkItem = OCP\Share::getShareByToken($token);
|
$linkItem = OCP\Share::getShareByToken($token, false);
|
||||||
if (is_array($linkItem) && isset($linkItem['uid_owner'])) {
|
if (is_array($linkItem) && isset($linkItem['uid_owner'])) {
|
||||||
// seems to be a valid share
|
// seems to be a valid share
|
||||||
$type = $linkItem['item_type'];
|
$type = $linkItem['item_type'];
|
||||||
|
|
|
@ -347,20 +347,29 @@ class Share {
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* Get the item shared by a token
|
* Based on the given token the share information will be returned - password protected shares will be verified
|
||||||
* @param string token
|
* @param string $token
|
||||||
* @return Item
|
* @return array | bool false will be returned in case the token is unknown or unauthorized
|
||||||
*/
|
*/
|
||||||
public static function getShareByToken($token) {
|
public static function getShareByToken($token, $checkPasswordProtection = true) {
|
||||||
$query = \OC_DB::prepare('SELECT * FROM `*PREFIX*share` WHERE `token` = ?', 1);
|
$query = \OC_DB::prepare('SELECT * FROM `*PREFIX*share` WHERE `token` = ?', 1);
|
||||||
$result = $query->execute(array($token));
|
$result = $query->execute(array($token));
|
||||||
if (\OC_DB::isError($result)) {
|
if (\OC_DB::isError($result)) {
|
||||||
\OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result) . ', token=' . $token, \OC_Log::ERROR);
|
\OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result) . ', token=' . $token, \OC_Log::ERROR);
|
||||||
}
|
}
|
||||||
$row = $result->fetchRow();
|
$row = $result->fetchRow();
|
||||||
|
if ($row === false) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
if (is_array($row) and self::expireItem($row)) {
|
if (is_array($row) and self::expireItem($row)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// password protected shares need to be authenticated
|
||||||
|
if ($checkPasswordProtection && !\OCP\Share::checkPasswordProtectedShare($row)) {
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
return $row;
|
return $row;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1888,6 +1897,34 @@ class Share {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* In case a password protected link is not yet authenticated this function will return false
|
||||||
|
*
|
||||||
|
* @param array $linkItem
|
||||||
|
* @return bool
|
||||||
|
*/
|
||||||
|
public static function checkPasswordProtectedShare(array $linkItem) {
|
||||||
|
if (!isset($linkItem['share_with'])) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (!isset($linkItem['share_type'])) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
if (!isset($linkItem['id'])) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($linkItem['share_type'] != \OCP\Share::SHARE_TYPE_LINK) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( \OC::$session->exists('public_link_authenticated')
|
||||||
|
&& \OC::$session->get('public_link_authenticated') === $linkItem['id'] ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -25,6 +25,8 @@ class Test_Share extends PHPUnit_Framework_TestCase {
|
||||||
protected $userBackend;
|
protected $userBackend;
|
||||||
protected $user1;
|
protected $user1;
|
||||||
protected $user2;
|
protected $user2;
|
||||||
|
protected $user3;
|
||||||
|
protected $user4;
|
||||||
protected $groupBackend;
|
protected $groupBackend;
|
||||||
protected $group1;
|
protected $group1;
|
||||||
protected $group2;
|
protected $group2;
|
||||||
|
@ -656,4 +658,44 @@ class Test_Share extends PHPUnit_Framework_TestCase {
|
||||||
'Failed asserting that the share of the test.txt file by user 2 has been removed.'
|
'Failed asserting that the share of the test.txt file by user 2 has been removed.'
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @dataProvider checkPasswordProtectedShareDataProvider
|
||||||
|
* @param $expected
|
||||||
|
* @param $item
|
||||||
|
*/
|
||||||
|
public function testCheckPasswordProtectedShare($expected, $item) {
|
||||||
|
\OC::$session->set('public_link_authenticated', 100);
|
||||||
|
$result = \OCP\Share::checkPasswordProtectedShare($item);
|
||||||
|
$this->assertEquals($expected, $result);
|
||||||
|
}
|
||||||
|
|
||||||
|
function checkPasswordProtectedShareDataProvider() {
|
||||||
|
return array(
|
||||||
|
array(true, array()),
|
||||||
|
array(true, array('share_with' => null)),
|
||||||
|
array(true, array('share_with' => '')),
|
||||||
|
array(true, array('share_with' => '1234567890', 'share_type' => '1')),
|
||||||
|
array(true, array('share_with' => '1234567890', 'share_type' => 1)),
|
||||||
|
array(true, array('share_with' => '1234567890', 'share_type' => '3', 'id' => 100)),
|
||||||
|
array(true, array('share_with' => '1234567890', 'share_type' => 3, 'id' => 100)),
|
||||||
|
array(false, array('share_with' => '1234567890', 'share_type' => '3', 'id' => 101)),
|
||||||
|
array(false, array('share_with' => '1234567890', 'share_type' => 3, 'id' => 101)),
|
||||||
|
);
|
||||||
|
|
||||||
|
/*
|
||||||
|
if (!isset($linkItem['share_with'])) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($linkItem['share_type'] != \OCP\Share::SHARE_TYPE_LINK) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( \OC::$session->exists('public_link_authenticated')
|
||||||
|
&& \OC::$session->get('public_link_authenticated') === $linkItem['id'] ) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
* */
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue