nextcloud/lib/private/Share20/Manager.php

1446 lines
42 KiB
PHP
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<?php
/**
* @copyright Copyright (c) 2016, ownCloud, Inc.
*
* @author Arthur Schiwon <blizzz@arthur-schiwon.de>
* @author Bjoern Schiessle <bjoern@schiessle.org>
* @author Björn Schießle <bjoern@schiessle.org>
* @author Joas Schilling <coding@schilljs.com>
* @author Roeland Jago Douma <roeland@famdouma.nl>
* @author Vincent Petry <pvince81@owncloud.com>
*
* @license AGPL-3.0
*
* This code is free software: you can redistribute it and/or modify
* it under the terms of the GNU Affero General Public License, version 3,
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU Affero General Public License for more details.
*
* You should have received a copy of the GNU Affero General Public License, version 3,
* along with this program. If not, see <http://www.gnu.org/licenses/>
*
*/
namespace OC\Share20;
use OC\Cache\CappedMemoryCache;
use OC\Files\Mount\MoveableMount;
use OC\HintException;
use OC\Share20\Exception\ProviderException;
use OCP\Files\File;
use OCP\Files\Folder;
use OCP\Files\IRootFolder;
use OCP\Files\Mount\IMountManager;
use OCP\Files\Node;
use OCP\IConfig;
use OCP\IGroupManager;
use OCP\IL10N;
use OCP\ILogger;
use OCP\IUserManager;
use OCP\Security\IHasher;
use OCP\Security\ISecureRandom;
use OCP\Share\Exceptions\GenericShareException;
use OCP\Share\Exceptions\ShareNotFound;
use OCP\Share\IManager;
use OCP\Share\IProviderFactory;
use Symfony\Component\EventDispatcher\EventDispatcher;
use Symfony\Component\EventDispatcher\GenericEvent;
use OCP\Share\IShareProvider;
/**
* This class is the communication hub for all sharing related operations.
*/
class Manager implements IManager {
/** @var IProviderFactory */
private $factory;
/** @var ILogger */
private $logger;
/** @var IConfig */
private $config;
/** @var ISecureRandom */
private $secureRandom;
/** @var IHasher */
private $hasher;
/** @var IMountManager */
private $mountManager;
/** @var IGroupManager */
private $groupManager;
/** @var IL10N */
private $l;
/** @var IUserManager */
private $userManager;
/** @var IRootFolder */
private $rootFolder;
/** @var CappedMemoryCache */
private $sharingDisabledForUsersCache;
/** @var EventDispatcher */
private $eventDispatcher;
/** @var LegacyHooks */
private $legacyHooks;
/**
* Manager constructor.
*
* @param ILogger $logger
* @param IConfig $config
* @param ISecureRandom $secureRandom
* @param IHasher $hasher
* @param IMountManager $mountManager
* @param IGroupManager $groupManager
* @param IL10N $l
* @param IProviderFactory $factory
* @param IUserManager $userManager
* @param IRootFolder $rootFolder
* @param EventDispatcher $eventDispatcher
*/
public function __construct(
ILogger $logger,
IConfig $config,
ISecureRandom $secureRandom,
IHasher $hasher,
IMountManager $mountManager,
IGroupManager $groupManager,
IL10N $l,
IProviderFactory $factory,
IUserManager $userManager,
IRootFolder $rootFolder,
EventDispatcher $eventDispatcher
) {
$this->logger = $logger;
$this->config = $config;
$this->secureRandom = $secureRandom;
$this->hasher = $hasher;
$this->mountManager = $mountManager;
$this->groupManager = $groupManager;
$this->l = $l;
$this->factory = $factory;
$this->userManager = $userManager;
$this->rootFolder = $rootFolder;
$this->eventDispatcher = $eventDispatcher;
$this->sharingDisabledForUsersCache = new CappedMemoryCache();
$this->legacyHooks = new LegacyHooks($this->eventDispatcher);
}
/**
* Convert from a full share id to a tuple (providerId, shareId)
*
* @param string $id
* @return string[]
*/
private function splitFullId($id) {
return explode(':', $id, 2);
}
/**
* Verify if a password meets all requirements
*
* @param string $password
* @throws \Exception
*/
protected function verifyPassword($password) {
if ($password === null) {
// No password is set, check if this is allowed.
if ($this->shareApiLinkEnforcePassword()) {
throw new \InvalidArgumentException('Passwords are enforced for link shares');
}
return;
}
// Let others verify the password
try {
$event = new GenericEvent($password);
$this->eventDispatcher->dispatch('OCP\PasswordPolicy::validate', $event);
} catch (HintException $e) {
throw new \Exception($e->getHint());
}
}
/**
* Check for generic requirements before creating a share
*
* @param \OCP\Share\IShare $share
* @throws \InvalidArgumentException
* @throws GenericShareException
*/
protected function generalCreateChecks(\OCP\Share\IShare $share) {
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) {
// We expect a valid user as sharedWith for user shares
if (!$this->userManager->userExists($share->getSharedWith())) {
throw new \InvalidArgumentException('SharedWith is not a valid user');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
// We expect a valid group as sharedWith for group shares
if (!$this->groupManager->groupExists($share->getSharedWith())) {
throw new \InvalidArgumentException('SharedWith is not a valid group');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
if ($share->getSharedWith() !== null) {
throw new \InvalidArgumentException('SharedWith should be empty');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_REMOTE) {
if ($share->getSharedWith() === null) {
throw new \InvalidArgumentException('SharedWith should not be empty');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) {
if ($share->getSharedWith() === null) {
throw new \InvalidArgumentException('SharedWith should not be empty');
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_CIRCLE) {
$circle = \OCA\Circles\Api\Circles::detailsCircle($share->getSharedWith());
if ($circle === null) {
throw new \InvalidArgumentException('SharedWith is not a valid circle');
}
} else {
// We can't handle other types yet
throw new \InvalidArgumentException('unknown share type');
}
// Verify the initiator of the share is set
if ($share->getSharedBy() === null) {
throw new \InvalidArgumentException('SharedBy should be set');
}
// Cannot share with yourself
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER &&
$share->getSharedWith() === $share->getSharedBy()) {
throw new \InvalidArgumentException('Cant share with yourself');
}
// The path should be set
if ($share->getNode() === null) {
throw new \InvalidArgumentException('Path should be set');
}
// And it should be a file or a folder
if (!($share->getNode() instanceof \OCP\Files\File) &&
!($share->getNode() instanceof \OCP\Files\Folder)) {
throw new \InvalidArgumentException('Path should be either a file or a folder');
}
// And you can't share your rootfolder
if ($this->userManager->userExists($share->getSharedBy())) {
$sharedPath = $this->rootFolder->getUserFolder($share->getSharedBy())->getPath();
} else {
$sharedPath = $this->rootFolder->getUserFolder($share->getShareOwner())->getPath();
}
if ($sharedPath === $share->getNode()->getPath()) {
throw new \InvalidArgumentException('You cant share your root folder');
}
// Check if we actually have share permissions
if (!$share->getNode()->isShareable()) {
$message_t = $this->l->t('You are not allowed to share %s', [$share->getNode()->getPath()]);
throw new GenericShareException($message_t, $message_t, 404);
}
// Permissions should be set
if ($share->getPermissions() === null) {
throw new \InvalidArgumentException('A share requires permissions');
}
/*
* Quick fix for #23536
* Non moveable mount points do not have update and delete permissions
* while we 'most likely' do have that on the storage.
*/
$permissions = $share->getNode()->getPermissions();
$mount = $share->getNode()->getMountPoint();
if (!($mount instanceof MoveableMount)) {
$permissions |= \OCP\Constants::PERMISSION_DELETE | \OCP\Constants::PERMISSION_UPDATE;
}
// Check that we do not share with more permissions than we have
if ($share->getPermissions() & ~$permissions) {
$message_t = $this->l->t('Cant increase permissions of %s', [$share->getNode()->getPath()]);
throw new GenericShareException($message_t, $message_t, 404);
}
// Check that read permissions are always set
// Link shares are allowed to have no read permissions to allow upload to hidden folders
$noReadPermissionRequired = $share->getShareType() === \OCP\Share::SHARE_TYPE_LINK
|| $share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL;
if (!$noReadPermissionRequired &&
($share->getPermissions() & \OCP\Constants::PERMISSION_READ) === 0) {
throw new \InvalidArgumentException('Shares need at least read permissions');
}
if ($share->getNode() instanceof \OCP\Files\File) {
if ($share->getPermissions() & \OCP\Constants::PERMISSION_DELETE) {
$message_t = $this->l->t('Files cant be shared with delete permissions');
throw new GenericShareException($message_t);
}
if ($share->getPermissions() & \OCP\Constants::PERMISSION_CREATE) {
$message_t = $this->l->t('Files cant be shared with create permissions');
throw new GenericShareException($message_t);
}
}
}
/**
* Validate if the expiration date fits the system settings
*
* @param \OCP\Share\IShare $share The share to validate the expiration date of
* @return \OCP\Share\IShare The modified share object
* @throws GenericShareException
* @throws \InvalidArgumentException
* @throws \Exception
*/
protected function validateExpirationDate(\OCP\Share\IShare $share) {
$expirationDate = $share->getExpirationDate();
if ($expirationDate !== null) {
//Make sure the expiration date is a date
$expirationDate->setTime(0, 0, 0);
$date = new \DateTime();
$date->setTime(0, 0, 0);
if ($date >= $expirationDate) {
$message = $this->l->t('Expiration date is in the past');
throw new GenericShareException($message, $message, 404);
}
}
// If expiredate is empty set a default one if there is a default
$fullId = null;
try {
$fullId = $share->getFullId();
} catch (\UnexpectedValueException $e) {
// This is a new share
}
if ($fullId === null && $expirationDate === null && $this->shareApiLinkDefaultExpireDate()) {
$expirationDate = new \DateTime();
$expirationDate->setTime(0,0,0);
$expirationDate->add(new \DateInterval('P'.$this->shareApiLinkDefaultExpireDays().'D'));
}
// If we enforce the expiration date check that is does not exceed
if ($this->shareApiLinkDefaultExpireDateEnforced()) {
if ($expirationDate === null) {
throw new \InvalidArgumentException('Expiration date is enforced');
}
$date = new \DateTime();
$date->setTime(0, 0, 0);
$date->add(new \DateInterval('P' . $this->shareApiLinkDefaultExpireDays() . 'D'));
if ($date < $expirationDate) {
$message = $this->l->t('Cant set expiration date more than %s days in the future', [$this->shareApiLinkDefaultExpireDays()]);
throw new GenericShareException($message, $message, 404);
}
}
$accepted = true;
$message = '';
\OCP\Util::emitHook('\OC\Share', 'verifyExpirationDate', [
'expirationDate' => &$expirationDate,
'accepted' => &$accepted,
'message' => &$message,
'passwordSet' => $share->getPassword() !== null,
]);
if (!$accepted) {
throw new \Exception($message);
}
$share->setExpirationDate($expirationDate);
return $share;
}
/**
* Check for pre share requirements for user shares
*
* @param \OCP\Share\IShare $share
* @throws \Exception
*/
protected function userCreateChecks(\OCP\Share\IShare $share) {
// Check if we can share with group members only
if ($this->shareWithGroupMembersOnly()) {
$sharedBy = $this->userManager->get($share->getSharedBy());
$sharedWith = $this->userManager->get($share->getSharedWith());
// Verify we can share with this user
$groups = array_intersect(
$this->groupManager->getUserGroupIds($sharedBy),
$this->groupManager->getUserGroupIds($sharedWith)
);
if (empty($groups)) {
throw new \Exception('Sharing is only allowed with group members');
}
}
/*
* TODO: Could be costly, fix
*
* Also this is not what we want in the future.. then we want to squash identical shares.
*/
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_USER);
$existingShares = $provider->getSharesByPath($share->getNode());
foreach($existingShares as $existingShare) {
// Ignore if it is the same share
try {
if ($existingShare->getFullId() === $share->getFullId()) {
continue;
}
} catch (\UnexpectedValueException $e) {
//Shares are not identical
}
// Identical share already existst
if ($existingShare->getSharedWith() === $share->getSharedWith()) {
throw new \Exception('Path is already shared with this user');
}
// The share is already shared with this user via a group share
if ($existingShare->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$group = $this->groupManager->get($existingShare->getSharedWith());
if (!is_null($group)) {
$user = $this->userManager->get($share->getSharedWith());
if ($group->inGroup($user) && $existingShare->getShareOwner() !== $share->getShareOwner()) {
throw new \Exception('Path is already shared with this user');
}
}
}
}
}
/**
* Check for pre share requirements for group shares
*
* @param \OCP\Share\IShare $share
* @throws \Exception
*/
protected function groupCreateChecks(\OCP\Share\IShare $share) {
// Verify group shares are allowed
if (!$this->allowGroupSharing()) {
throw new \Exception('Group sharing is now allowed');
}
// Verify if the user can share with this group
if ($this->shareWithGroupMembersOnly()) {
$sharedBy = $this->userManager->get($share->getSharedBy());
$sharedWith = $this->groupManager->get($share->getSharedWith());
if (is_null($sharedWith) || !$sharedWith->inGroup($sharedBy)) {
throw new \Exception('Sharing is only allowed within your own groups');
}
}
/*
* TODO: Could be costly, fix
*
* Also this is not what we want in the future.. then we want to squash identical shares.
*/
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_GROUP);
$existingShares = $provider->getSharesByPath($share->getNode());
foreach($existingShares as $existingShare) {
try {
if ($existingShare->getFullId() === $share->getFullId()) {
continue;
}
} catch (\UnexpectedValueException $e) {
//It is a new share so just continue
}
if ($existingShare->getSharedWith() === $share->getSharedWith()) {
throw new \Exception('Path is already shared with this group');
}
}
}
/**
* Check for pre share requirements for link shares
*
* @param \OCP\Share\IShare $share
* @throws \Exception
*/
protected function linkCreateChecks(\OCP\Share\IShare $share) {
// Are link shares allowed?
if (!$this->shareApiAllowLinks()) {
throw new \Exception('Link sharing is not allowed');
}
// Link shares by definition can't have share permissions
if ($share->getPermissions() & \OCP\Constants::PERMISSION_SHARE) {
throw new \InvalidArgumentException('Link shares cant have reshare permissions');
}
// Check if public upload is allowed
if (!$this->shareApiLinkAllowPublicUpload() &&
($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_DELETE))) {
throw new \InvalidArgumentException('Public upload is not allowed');
}
}
/**
* To make sure we don't get invisible link shares we set the parent
* of a link if it is a reshare. This is a quick word around
* until we can properly display multiple link shares in the UI
*
* See: https://github.com/owncloud/core/issues/22295
*
* FIXME: Remove once multiple link shares can be properly displayed
*
* @param \OCP\Share\IShare $share
*/
protected function setLinkParent(\OCP\Share\IShare $share) {
// No sense in checking if the method is not there.
if (method_exists($share, 'setParent')) {
$storage = $share->getNode()->getStorage();
if ($storage->instanceOfStorage('\OCA\Files_Sharing\ISharedStorage')) {
/** @var \OCA\Files_Sharing\SharedStorage $storage */
$share->setParent($storage->getShareId());
}
};
}
/**
* @param File|Folder $path
*/
protected function pathCreateChecks($path) {
// Make sure that we do not share a path that contains a shared mountpoint
if ($path instanceof \OCP\Files\Folder) {
$mounts = $this->mountManager->findIn($path->getPath());
foreach($mounts as $mount) {
if ($mount->getStorage()->instanceOfStorage('\OCA\Files_Sharing\ISharedStorage')) {
throw new \InvalidArgumentException('Path contains files shared with you');
}
}
}
}
/**
* Check if the user that is sharing can actually share
*
* @param \OCP\Share\IShare $share
* @throws \Exception
*/
protected function canShare(\OCP\Share\IShare $share) {
if (!$this->shareApiEnabled()) {
throw new \Exception('Sharing is disabled');
}
if ($this->sharingDisabledForUser($share->getSharedBy())) {
throw new \Exception('Sharing is disabled for you');
}
}
/**
* Share a path
*
* @param \OCP\Share\IShare $share
* @return Share The share object
* @throws \Exception
*
* TODO: handle link share permissions or check them
*/
public function createShare(\OCP\Share\IShare $share) {
$this->canShare($share);
$this->generalCreateChecks($share);
// Verify if there are any issues with the path
$this->pathCreateChecks($share->getNode());
/*
* On creation of a share the owner is always the owner of the path
* Except for mounted federated shares.
*/
$storage = $share->getNode()->getStorage();
if ($storage->instanceOfStorage('OCA\Files_Sharing\External\Storage')) {
$parent = $share->getNode()->getParent();
while($parent->getStorage()->instanceOfStorage('OCA\Files_Sharing\External\Storage')) {
$parent = $parent->getParent();
}
$share->setShareOwner($parent->getOwner()->getUID());
} else {
$share->setShareOwner($share->getNode()->getOwner()->getUID());
}
//Verify share type
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) {
$this->userCreateChecks($share);
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$this->groupCreateChecks($share);
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
$this->linkCreateChecks($share);
$this->setLinkParent($share);
/*
* For now ignore a set token.
*/
$share->setToken(
$this->secureRandom->generate(
\OC\Share\Constants::TOKEN_LENGTH,
\OCP\Security\ISecureRandom::CHAR_LOWER.
\OCP\Security\ISecureRandom::CHAR_UPPER.
\OCP\Security\ISecureRandom::CHAR_DIGITS
)
);
//Verify the expiration date
$this->validateExpirationDate($share);
//Verify the password
$this->verifyPassword($share->getPassword());
// If a password is set. Hash it!
if ($share->getPassword() !== null) {
$share->setPassword($this->hasher->hash($share->getPassword()));
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) {
$share->setToken(
$this->secureRandom->generate(
\OC\Share\Constants::TOKEN_LENGTH,
\OCP\Security\ISecureRandom::CHAR_LOWER.
\OCP\Security\ISecureRandom::CHAR_UPPER.
\OCP\Security\ISecureRandom::CHAR_DIGITS
)
);
}
// Cannot share with the owner
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER &&
$share->getSharedWith() === $share->getShareOwner()) {
throw new \InvalidArgumentException('Cant share with the share owner');
}
// Generate the target
$target = $this->config->getSystemValue('share_folder', '/') .'/'. $share->getNode()->getName();
$target = \OC\Files\Filesystem::normalizePath($target);
$share->setTarget($target);
// Pre share hook
$run = true;
$error = '';
$preHookData = [
'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getNode()->getId(),
'shareType' => $share->getShareType(),
'uidOwner' => $share->getSharedBy(),
'permissions' => $share->getPermissions(),
'fileSource' => $share->getNode()->getId(),
'expiration' => $share->getExpirationDate(),
'token' => $share->getToken(),
'itemTarget' => $share->getTarget(),
'shareWith' => $share->getSharedWith(),
'run' => &$run,
'error' => &$error,
];
\OC_Hook::emit('OCP\Share', 'pre_shared', $preHookData);
if ($run === false) {
throw new \Exception($error);
}
$oldShare = $share;
$provider = $this->factory->getProviderForType($share->getShareType());
$share = $provider->create($share);
//reuse the node we already have
$share->setNode($oldShare->getNode());
// Post share hook
$postHookData = [
'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getNode()->getId(),
'shareType' => $share->getShareType(),
'uidOwner' => $share->getSharedBy(),
'permissions' => $share->getPermissions(),
'fileSource' => $share->getNode()->getId(),
'expiration' => $share->getExpirationDate(),
'token' => $share->getToken(),
'id' => $share->getId(),
'shareWith' => $share->getSharedWith(),
'itemTarget' => $share->getTarget(),
'fileTarget' => $share->getTarget(),
];
\OC_Hook::emit('OCP\Share', 'post_shared', $postHookData);
return $share;
}
/**
* Update a share
*
* @param \OCP\Share\IShare $share
* @return \OCP\Share\IShare The share object
* @throws \InvalidArgumentException
*/
public function updateShare(\OCP\Share\IShare $share) {
$expirationDateUpdated = false;
$this->canShare($share);
try {
$originalShare = $this->getShareById($share->getFullId());
} catch (\UnexpectedValueException $e) {
throw new \InvalidArgumentException('Share does not have a full id');
}
// We can't change the share type!
if ($share->getShareType() !== $originalShare->getShareType()) {
throw new \InvalidArgumentException('Cant change share type');
}
// We can only change the recipient on user shares
if ($share->getSharedWith() !== $originalShare->getSharedWith() &&
$share->getShareType() !== \OCP\Share::SHARE_TYPE_USER) {
throw new \InvalidArgumentException('Can only update recipient on user shares');
}
// Cannot share with the owner
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER &&
$share->getSharedWith() === $share->getShareOwner()) {
throw new \InvalidArgumentException('Cant share with the share owner');
}
$this->generalCreateChecks($share);
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER) {
$this->userCreateChecks($share);
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$this->groupCreateChecks($share);
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
$this->linkCreateChecks($share);
$this->updateSharePasswordIfNeeded($share, $originalShare);
if ($share->getExpirationDate() != $originalShare->getExpirationDate()) {
//Verify the expiration date
$this->validateExpirationDate($share);
$expirationDateUpdated = true;
}
} else if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) {
$plainTextPassword = $share->getPassword();
if (!$this->updateSharePasswordIfNeeded($share, $originalShare)) {
$plainTextPassword = null;
}
}
$this->pathCreateChecks($share->getNode());
// Now update the share!
$provider = $this->factory->getProviderForType($share->getShareType());
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_EMAIL) {
$share = $provider->update($share, $plainTextPassword);
} else {
$share = $provider->update($share);
}
if ($expirationDateUpdated === true) {
\OC_Hook::emit('OCP\Share', 'post_set_expiration_date', [
'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getNode()->getId(),
'date' => $share->getExpirationDate(),
'uidOwner' => $share->getSharedBy(),
]);
}
if ($share->getPassword() !== $originalShare->getPassword()) {
\OC_Hook::emit('OCP\Share', 'post_update_password', [
'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getNode()->getId(),
'uidOwner' => $share->getSharedBy(),
'token' => $share->getToken(),
'disabled' => is_null($share->getPassword()),
]);
}
if ($share->getPermissions() !== $originalShare->getPermissions()) {
if ($this->userManager->userExists($share->getShareOwner())) {
$userFolder = $this->rootFolder->getUserFolder($share->getShareOwner());
} else {
$userFolder = $this->rootFolder->getUserFolder($share->getSharedBy());
}
\OC_Hook::emit('OCP\Share', 'post_update_permissions', array(
'itemType' => $share->getNode() instanceof \OCP\Files\File ? 'file' : 'folder',
'itemSource' => $share->getNode()->getId(),
'shareType' => $share->getShareType(),
'shareWith' => $share->getSharedWith(),
'uidOwner' => $share->getSharedBy(),
'permissions' => $share->getPermissions(),
'path' => $userFolder->getRelativePath($share->getNode()->getPath()),
));
}
return $share;
}
/**
* Updates the password of the given share if it is not the same as the
* password of the original share.
*
* @param \OCP\Share\IShare $share the share to update its password.
* @param \OCP\Share\IShare $originalShare the original share to compare its
* password with.
* @return boolean whether the password was updated or not.
*/
private function updateSharePasswordIfNeeded(\OCP\Share\IShare $share, \OCP\Share\IShare $originalShare) {
// Password updated.
if ($share->getPassword() !== $originalShare->getPassword()) {
//Verify the password
$this->verifyPassword($share->getPassword());
// If a password is set. Hash it!
if ($share->getPassword() !== null) {
$share->setPassword($this->hasher->hash($share->getPassword()));
return true;
}
}
return false;
}
/**
* Delete all the children of this share
* FIXME: remove once https://github.com/owncloud/core/pull/21660 is in
*
* @param \OCP\Share\IShare $share
* @return \OCP\Share\IShare[] List of deleted shares
*/
protected function deleteChildren(\OCP\Share\IShare $share) {
$deletedShares = [];
$provider = $this->factory->getProviderForType($share->getShareType());
foreach ($provider->getChildren($share) as $child) {
$deletedChildren = $this->deleteChildren($child);
$deletedShares = array_merge($deletedShares, $deletedChildren);
$provider->delete($child);
$deletedShares[] = $child;
}
return $deletedShares;
}
/**
* Delete a share
*
* @param \OCP\Share\IShare $share
* @throws ShareNotFound
* @throws \InvalidArgumentException
*/
public function deleteShare(\OCP\Share\IShare $share) {
try {
$share->getFullId();
} catch (\UnexpectedValueException $e) {
throw new \InvalidArgumentException('Share does not have a full id');
}
$event = new GenericEvent($share);
$this->eventDispatcher->dispatch('OCP\Share::preUnshare', $event);
// Get all children and delete them as well
$deletedShares = $this->deleteChildren($share);
// Do the actual delete
$provider = $this->factory->getProviderForType($share->getShareType());
$provider->delete($share);
// All the deleted shares caused by this delete
$deletedShares[] = $share;
// Emit post hook
$event->setArgument('deletedShares', $deletedShares);
$this->eventDispatcher->dispatch('OCP\Share::postUnshare', $event);
}
/**
* Unshare a file as the recipient.
* This can be different from a regular delete for example when one of
* the users in a groups deletes that share. But the provider should
* handle this.
*
* @param \OCP\Share\IShare $share
* @param string $recipientId
*/
public function deleteFromSelf(\OCP\Share\IShare $share, $recipientId) {
list($providerId, ) = $this->splitFullId($share->getFullId());
$provider = $this->factory->getProvider($providerId);
$provider->deleteFromSelf($share, $recipientId);
}
/**
* @inheritdoc
*/
public function moveShare(\OCP\Share\IShare $share, $recipientId) {
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK) {
throw new \InvalidArgumentException('Cant change target of link share');
}
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_USER && $share->getSharedWith() !== $recipientId) {
throw new \InvalidArgumentException('Invalid recipient');
}
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) {
$sharedWith = $this->groupManager->get($share->getSharedWith());
if (is_null($sharedWith)) {
throw new \InvalidArgumentException('Group "' . $share->getSharedWith() . '" does not exist');
}
$recipient = $this->userManager->get($recipientId);
if (!$sharedWith->inGroup($recipient)) {
throw new \InvalidArgumentException('Invalid recipient');
}
}
list($providerId, ) = $this->splitFullId($share->getFullId());
$provider = $this->factory->getProvider($providerId);
$provider->move($share, $recipientId);
}
public function getSharesInFolder($userId, Folder $node, $reshares = false) {
$providers = $this->factory->getAllProviders();
return array_reduce($providers, function($shares, IShareProvider $provider) use ($userId, $node, $reshares) {
$newShares = $provider->getSharesInFolder($userId, $node, $reshares);
foreach ($newShares as $fid => $data) {
if (!isset($shares[$fid])) {
$shares[$fid] = [];
}
$shares[$fid] = array_merge($shares[$fid], $data);
}
return $shares;
}, []);
}
/**
* @inheritdoc
*/
public function getSharesBy($userId, $shareType, $path = null, $reshares = false, $limit = 50, $offset = 0) {
if ($path !== null &&
!($path instanceof \OCP\Files\File) &&
!($path instanceof \OCP\Files\Folder)) {
throw new \InvalidArgumentException('invalid path');
}
try {
$provider = $this->factory->getProviderForType($shareType);
} catch (ProviderException $e) {
return [];
}
$shares = $provider->getSharesBy($userId, $shareType, $path, $reshares, $limit, $offset);
/*
* Work around so we don't return expired shares but still follow
* proper pagination.
*/
$shares2 = [];
while(true) {
$added = 0;
foreach ($shares as $share) {
try {
$this->checkExpireDate($share);
} catch (ShareNotFound $e) {
//Ignore since this basically means the share is deleted
continue;
}
$added++;
$shares2[] = $share;
if (count($shares2) === $limit) {
break;
}
}
if (count($shares2) === $limit) {
break;
}
// If there was no limit on the select we are done
if ($limit === -1) {
break;
}
$offset += $added;
// Fetch again $limit shares
$shares = $provider->getSharesBy($userId, $shareType, $path, $reshares, $limit, $offset);
// No more shares means we are done
if (empty($shares)) {
break;
}
}
$shares = $shares2;
return $shares;
}
/**
* @inheritdoc
*/
public function getSharedWith($userId, $shareType, $node = null, $limit = 50, $offset = 0) {
try {
$provider = $this->factory->getProviderForType($shareType);
} catch (ProviderException $e) {
return [];
}
$shares = $provider->getSharedWith($userId, $shareType, $node, $limit, $offset);
// remove all shares which are already expired
foreach ($shares as $key => $share) {
try {
$this->checkExpireDate($share);
} catch (ShareNotFound $e) {
unset($shares[$key]);
}
}
return $shares;
}
/**
* @inheritdoc
*/
public function getShareById($id, $recipient = null) {
if ($id === null) {
throw new ShareNotFound();
}
list($providerId, $id) = $this->splitFullId($id);
try {
$provider = $this->factory->getProvider($providerId);
} catch (ProviderException $e) {
throw new ShareNotFound();
}
$share = $provider->getShareById($id, $recipient);
$this->checkExpireDate($share);
return $share;
}
/**
* Get all the shares for a given path
*
* @param \OCP\Files\Node $path
* @param int $page
* @param int $perPage
*
* @return Share[]
*/
public function getSharesByPath(\OCP\Files\Node $path, $page=0, $perPage=50) {
return [];
}
/**
* Get the share by token possible with password
*
* @param string $token
* @return Share
*
* @throws ShareNotFound
*/
public function getShareByToken($token) {
$share = null;
try {
if($this->shareApiAllowLinks()) {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_LINK);
$share = $provider->getShareByToken($token);
}
} catch (ProviderException $e) {
} catch (ShareNotFound $e) {
}
// If it is not a link share try to fetch a federated share by token
if ($share === null) {
try {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_REMOTE);
$share = $provider->getShareByToken($token);
} catch (ProviderException $e) {
} catch (ShareNotFound $e) {
}
}
// If it is not a link share try to fetch a mail share by token
if ($share === null && $this->shareProviderExists(\OCP\Share::SHARE_TYPE_EMAIL)) {
try {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_EMAIL);
$share = $provider->getShareByToken($token);
} catch (ProviderException $e) {
} catch (ShareNotFound $e) {
}
}
if ($share === null) {
throw new ShareNotFound($this->l->t('The requested share does not exist anymore'));
}
$this->checkExpireDate($share);
/*
* Reduce the permissions for link shares if public upload is not enabled
*/
if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK &&
!$this->shareApiLinkAllowPublicUpload()) {
$share->setPermissions($share->getPermissions() & ~(\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE));
}
return $share;
}
protected function checkExpireDate($share) {
if ($share->getExpirationDate() !== null &&
$share->getExpirationDate() <= new \DateTime()) {
$this->deleteShare($share);
throw new ShareNotFound($this->l->t('The requested share does not exist anymore'));
}
}
/**
* Verify the password of a public share
*
* @param \OCP\Share\IShare $share
* @param string $password
* @return bool
*/
public function checkPassword(\OCP\Share\IShare $share, $password) {
$passwordProtected = $share->getShareType() !== \OCP\Share::SHARE_TYPE_LINK
|| $share->getShareType() !== \OCP\Share::SHARE_TYPE_EMAIL;
if (!$passwordProtected) {
//TODO maybe exception?
return false;
}
if ($password === null || $share->getPassword() === null) {
return false;
}
$newHash = '';
if (!$this->hasher->verify($password, $share->getPassword(), $newHash)) {
return false;
}
if (!empty($newHash)) {
$share->setPassword($newHash);
$provider = $this->factory->getProviderForType($share->getShareType());
$provider->update($share);
}
return true;
}
/**
* @inheritdoc
*/
public function userDeleted($uid) {
$types = [\OCP\Share::SHARE_TYPE_USER, \OCP\Share::SHARE_TYPE_GROUP, \OCP\Share::SHARE_TYPE_LINK, \OCP\Share::SHARE_TYPE_REMOTE, \OCP\Share::SHARE_TYPE_EMAIL];
foreach ($types as $type) {
try {
$provider = $this->factory->getProviderForType($type);
} catch (ProviderException $e) {
continue;
}
$provider->userDeleted($uid, $type);
}
}
/**
* @inheritdoc
*/
public function groupDeleted($gid) {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_GROUP);
$provider->groupDeleted($gid);
}
/**
* @inheritdoc
*/
public function userDeletedFromGroup($uid, $gid) {
$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_GROUP);
$provider->userDeletedFromGroup($uid, $gid);
}
/**
* Get access list to a path. This means
* all the users that can access a given path.
*
* Consider:
* -root
* |-folder1 (23)
* |-folder2 (32)
* |-fileA (42)
*
* fileA is shared with user1 and user1@server1
* folder2 is shared with group2 (user4 is a member of group2)
* folder1 is shared with user2 (renamed to "folder (1)") and user2@server2
*
* Then the access list to '/folder1/folder2/fileA' with $currentAccess is:
* [
* users => [
* 'user1' => ['node_id' => 42, 'node_path' => '/fileA'],
* 'user4' => ['node_id' => 32, 'node_path' => '/folder2'],
* 'user2' => ['node_id' => 23, 'node_path' => '/folder (1)'],
* ],
* remote => [
* 'user1@server1' => ['node_id' => 42, 'token' => 'SeCr3t'],
* 'user2@server2' => ['node_id' => 23, 'token' => 'FooBaR'],
* ],
* public => bool
* mail => bool
* ]
*
* The access list to '/folder1/folder2/fileA' **without** $currentAccess is:
* [
* users => ['user1', 'user2', 'user4'],
* remote => bool,
* public => bool
* mail => bool
* ]
*
* This is required for encryption/activity
*
* @param \OCP\Files\Node $path
* @param bool $recursive Should we check all parent folders as well
* @param bool $currentAccess Should the user have currently access to the file
* @return array
*/
public function getAccessList(\OCP\Files\Node $path, $recursive = true, $currentAccess = false) {
$owner = $path->getOwner()->getUID();
if ($currentAccess) {
$al = ['users' => [], 'remote' => [], 'public' => false];
} else {
$al = ['users' => [], 'remote' => false, 'public' => false];
}
if (!$this->userManager->userExists($owner)) {
return $al;
}
//Get node for the owner
$userFolder = $this->rootFolder->getUserFolder($owner);
if ($path->getId() !== $userFolder->getId() && !$userFolder->isSubNode($path)) {
$path = $userFolder->getById($path->getId())[0];
}
$providers = $this->factory->getAllProviders();
/** @var Node[] $nodes */
$nodes = [];
if ($currentAccess) {
$ownerPath = $path->getPath();
$ownerPath = explode('/', $ownerPath, 4);
if (count($ownerPath) < 4) {
$ownerPath = '';
} else {
$ownerPath = $ownerPath[3];
}
$al['users'][$owner] = [
'node_id' => $path->getId(),
'node_path' => '/' . $ownerPath,
];
} else {
$al['users'][] = $owner;
}
// Collect all the shares
while ($path->getPath() !== $userFolder->getPath()) {
$nodes[] = $path;
if (!$recursive) {
break;
}
$path = $path->getParent();
}
foreach ($providers as $provider) {
$tmp = $provider->getAccessList($nodes, $currentAccess);
foreach ($tmp as $k => $v) {
if (isset($al[$k])) {
if (is_array($al[$k])) {
$al[$k] = array_merge($al[$k], $v);
} else {
$al[$k] = $al[$k] || $v;
}
} else {
$al[$k] = $v;
}
}
}
return $al;
}
/**
* Create a new share
* @return \OCP\Share\IShare;
*/
public function newShare() {
return new \OC\Share20\Share($this->rootFolder, $this->userManager);
}
/**
* Is the share API enabled
*
* @return bool
*/
public function shareApiEnabled() {
return $this->config->getAppValue('core', 'shareapi_enabled', 'yes') === 'yes';
}
/**
* Is public link sharing enabled
*
* @return bool
*/
public function shareApiAllowLinks() {
return $this->config->getAppValue('core', 'shareapi_allow_links', 'yes') === 'yes';
}
/**
* Is password on public link requires
*
* @return bool
*/
public function shareApiLinkEnforcePassword() {
return $this->config->getAppValue('core', 'shareapi_enforce_links_password', 'no') === 'yes';
}
/**
* Is default expire date enabled
*
* @return bool
*/
public function shareApiLinkDefaultExpireDate() {
return $this->config->getAppValue('core', 'shareapi_default_expire_date', 'no') === 'yes';
}
/**
* Is default expire date enforced
*`
* @return bool
*/
public function shareApiLinkDefaultExpireDateEnforced() {
return $this->shareApiLinkDefaultExpireDate() &&
$this->config->getAppValue('core', 'shareapi_enforce_expire_date', 'no') === 'yes';
}
/**
* Number of default expire days
*shareApiLinkAllowPublicUpload
* @return int
*/
public function shareApiLinkDefaultExpireDays() {
return (int)$this->config->getAppValue('core', 'shareapi_expire_after_n_days', '7');
}
/**
* Allow public upload on link shares
*
* @return bool
*/
public function shareApiLinkAllowPublicUpload() {
return $this->config->getAppValue('core', 'shareapi_allow_public_upload', 'yes') === 'yes';
}
/**
* check if user can only share with group members
* @return bool
*/
public function shareWithGroupMembersOnly() {
return $this->config->getAppValue('core', 'shareapi_only_share_with_group_members', 'no') === 'yes';
}
/**
* Check if users can share with groups
* @return bool
*/
public function allowGroupSharing() {
return $this->config->getAppValue('core', 'shareapi_allow_group_sharing', 'yes') === 'yes';
}
/**
* Copied from \OC_Util::isSharingDisabledForUser
*
* TODO: Deprecate fuction from OC_Util
*
* @param string $userId
* @return bool
*/
public function sharingDisabledForUser($userId) {
if ($userId === null) {
return false;
}
if (isset($this->sharingDisabledForUsersCache[$userId])) {
return $this->sharingDisabledForUsersCache[$userId];
}
if ($this->config->getAppValue('core', 'shareapi_exclude_groups', 'no') === 'yes') {
$groupsList = $this->config->getAppValue('core', 'shareapi_exclude_groups_list', '');
$excludedGroups = json_decode($groupsList);
if (is_null($excludedGroups)) {
$excludedGroups = explode(',', $groupsList);
$newValue = json_encode($excludedGroups);
$this->config->setAppValue('core', 'shareapi_exclude_groups_list', $newValue);
}
$user = $this->userManager->get($userId);
$usersGroups = $this->groupManager->getUserGroupIds($user);
if (!empty($usersGroups)) {
$remainingGroups = array_diff($usersGroups, $excludedGroups);
// if the user is only in groups which are disabled for sharing then
// sharing is also disabled for the user
if (empty($remainingGroups)) {
$this->sharingDisabledForUsersCache[$userId] = true;
return true;
}
}
}
$this->sharingDisabledForUsersCache[$userId] = false;
return false;
}
/**
* @inheritdoc
*/
public function outgoingServer2ServerSharesAllowed() {
return $this->config->getAppValue('files_sharing', 'outgoing_server2server_share_enabled', 'yes') === 'yes';
}
/**
* @inheritdoc
*/
public function shareProviderExists($shareType) {
try {
$this->factory->getProviderForType($shareType);
} catch (ProviderException $e) {
return false;
}
return true;
}
}