From 38c1b87435f1562180af449a06da8c85a6e7c080 Mon Sep 17 00:00:00 2001 From: Ashod Nakashian Date: Wed, 23 Mar 2016 21:57:22 -0400 Subject: [PATCH] wopi: support for file sharing and authentication --- controller/documentcontroller.php | 5 +++++ lib/db/wopi.php | 31 +++++++++++++++++++++++++++---- 2 files changed, 32 insertions(+), 4 deletions(-) diff --git a/controller/documentcontroller.php b/controller/documentcontroller.php index 1dbf043b..0758f511 100644 --- a/controller/documentcontroller.php +++ b/controller/documentcontroller.php @@ -301,6 +301,7 @@ class DocumentController extends Controller{ } /** + * @NoAdminRequired * Generates and returns an access token for a given fileId. * Only for authenticated users! */ @@ -332,6 +333,10 @@ class DocumentController extends Controller{ $row->loadBy('token', $token); $res = $row->getPathForToken($fileId, $token); + if ($res == false || http_response_code() != 200) + { + return false; + } $view = new \OC\Files\View('/' . $res['user'] . '/'); $info = $view->getFileInfo($res['path']); diff --git a/lib/db/wopi.php b/lib/db/wopi.php index 306204d3..7fca0bca 100644 --- a/lib/db/wopi.php +++ b/lib/db/wopi.php @@ -40,10 +40,21 @@ class Wopi extends \OCA\Richdocuments\Db{ * Returns the token. */ public function generateFileToken($fileId){ - $user = \OC_User::getUser(); - $view = new \OC\Files\View('/' . $user . '/'); - $path = $view->getPath($fileId); + // Get the FS view of the current user. + $view = \OC\Files\Filesystem::getView(); + // Get the virtual path (if the file is shared). + $path = $view->getPath($fileId); + if (!$view->is_file($path) || !$view->isUpdatable($path)) { + throw new \Exception('Invalid fileId.'); + } + + // Figure out the real owner, if not us. + $user = $view->getOwner($path); + // Create a view into the owner's FS. + $view = new \OC\Files\View('/' . $user . '/'); + // Find the real path. + $path = $view->getPath($fileId); if (!$view->is_file($path)) { throw new \Exception('Invalid fileId.'); } @@ -80,13 +91,25 @@ class Wopi extends \OCA\Richdocuments\Db{ $wopi = new Wopi(); $row = $wopi->loadBy('token', $token)->getData(); \OC::$server->getLogger()->debug('Loaded WOPI Token record: {row}.', [ 'row' => $row ]); + if (count($row) == 0) + { + // Invalid token. + http_response_code(401); + return false; + } //TODO: validate. - if ($row['expiry'] > time() || $row['fileid'] !== $fileId){ + if ($row['expiry'] > time()){ // Expired token! + //http_response_code(404); //$wopi->deleteBy('id', $row['id']); //return false; } + if ($row['fileid'] !== $fileId){ + // File unknown / user unauthorized (for the requested file). + http_response_code(404); + return false; + } $user = $row['uid']; $view = new \OC\Files\View('/' . $user . '/');