mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #6856 from owncloud/fixing-gallery-password-protected-access-master 

adding password protection check to getShareByToken()
This commit is contained in:
Vincent Petry 2014-01-21 11:08:58 -08:00
parent 3b7fea25a3 9bab05fd45
commit 9851727b0d
3 changed files with 84 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
apps/files_sharing/public.php
View File

@ -35,7 +35,7 @@ function determineIcon($file, $sharingRoot, $sharingToken) {
if (isset($_GET['t'])) { if (isset($_GET['t'])) {
$token = $_GET['t']; $token = $_GET['t'];
$linkItem = OCP\Share::getShareByToken($token); $linkItem = OCP\Share::getShareByToken($token, false);
if (is_array($linkItem) && isset($linkItem['uid_owner'])) { if (is_array($linkItem) && isset($linkItem['uid_owner'])) {
// seems to be a valid share // seems to be a valid share
$type = $linkItem['item_type']; $type = $linkItem['item_type'];

45
lib/public/share.php
View File

@ -347,20 +347,29 @@ class Share {
} }
/** /**
* Get the item shared by a token * Based on the given token the share information will be returned - password protected shares will be verified
* @param string token * @param string $token
* @return Item * @return array | bool false will be returned in case the token is unknown or unauthorized
*/ */
public static function getShareByToken($token) { public static function getShareByToken($token, $checkPasswordProtection = true) {
$query = \OC_DB::prepare('SELECT * FROM `*PREFIX*share` WHERE `token` = ?', 1); $query = \OC_DB::prepare('SELECT * FROM `*PREFIX*share` WHERE `token` = ?', 1);
$result = $query->execute(array($token)); $result = $query->execute(array($token));
if (\OC_DB::isError($result)) { if (\OC_DB::isError($result)) {
\OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result) . ', token=' . $token, \OC_Log::ERROR); \OC_Log::write('OCP\Share', \OC_DB::getErrorMessage($result) . ', token=' . $token, \OC_Log::ERROR);
} }
$row = $result->fetchRow(); $row = $result->fetchRow();
if ($row === false) {
return false;
}
if (is_array($row) and self::expireItem($row)) { if (is_array($row) and self::expireItem($row)) {
return false; return false;
} }
// password protected shares need to be authenticated
if ($checkPasswordProtection && !\OCP\Share::checkPasswordProtectedShare($row)) {
return false;
}
return $row; return $row;
} }
@ -1888,6 +1897,34 @@ class Share {
} }
} }
/**
* In case a password protected link is not yet authenticated this function will return false
*
* @param array $linkItem
* @return bool
*/
public static function checkPasswordProtectedShare(array $linkItem) {
if (!isset($linkItem['share_with'])) {
return true;
}
if (!isset($linkItem['share_type'])) {
return true;
}
if (!isset($linkItem['id'])) {
return true;
}
if ($linkItem['share_type'] != \OCP\Share::SHARE_TYPE_LINK) {
return true;
}
if ( \OC::$session->exists('public_link_authenticated')
&& \OC::$session->get('public_link_authenticated') === $linkItem['id'] ) {
return true;
}
return false;
}
} }
/** /**

42
tests/lib/share/share.php
View File

@ -25,6 +25,8 @@ class Test_Share extends PHPUnit_Framework_TestCase {
protected $userBackend; protected $userBackend;
protected $user1; protected $user1;
protected $user2; protected $user2;
protected $user3;
protected $user4;
protected $groupBackend; protected $groupBackend;
protected $group1; protected $group1;
protected $group2; protected $group2;
@ -656,4 +658,44 @@ class Test_Share extends PHPUnit_Framework_TestCase {
'Failed asserting that the share of the test.txt file by user 2 has been removed.' 'Failed asserting that the share of the test.txt file by user 2 has been removed.'
); );
} }
/**
* @dataProvider checkPasswordProtectedShareDataProvider
* @param $expected
* @param $item
*/
public function testCheckPasswordProtectedShare($expected, $item) {
\OC::$session->set('public_link_authenticated', 100);
$result = \OCP\Share::checkPasswordProtectedShare($item);
$this->assertEquals($expected, $result);
}
function checkPasswordProtectedShareDataProvider() {
return array(
array(true, array()),
array(true, array('share_with' => null)),
array(true, array('share_with' => '')),
array(true, array('share_with' => '1234567890', 'share_type' => '1')),
array(true, array('share_with' => '1234567890', 'share_type' => 1)),
array(true, array('share_with' => '1234567890', 'share_type' => '3', 'id' => 100)),
array(true, array('share_with' => '1234567890', 'share_type' => 3, 'id' => 100)),
array(false, array('share_with' => '1234567890', 'share_type' => '3', 'id' => 101)),
array(false, array('share_with' => '1234567890', 'share_type' => 3, 'id' => 101)),
);
/*
if (!isset($linkItem['share_with'])) {
return true;
}
if ($linkItem['share_type'] != \OCP\Share::SHARE_TYPE_LINK) {
return true;
}
if ( \OC::$session->exists('public_link_authenticated')
&& \OC::$session->get('public_link_authenticated') === $linkItem['id'] ) {
return true;
}
* */
}
} }