DontSellMe/richdocuments
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Merge pull request #134 from pranavk/WOPI

Browse Source 
security: Support WOPI's PostMessageOrigin
This commit is contained in:
Andras Timar 2016-10-28 14:35:59 +02:00 committed by GitHub
commit d18fe71c12
5 changed files with 60 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
appinfo/database.xml
View File

@ -327,6 +327,13 @@
<notnull>true</notnull>
<comments>Can make changes to this file</comments>
</field>
<field>
<name>server_host</name>
<type>text</type>
<default>localhost</default>
<notnull>true</notnull>
<comments>Host from which token generation request originated</comments>
</field>
<field>
<name>token</name>
<type>text</type>

2
appinfo/info.xml
View File

@ -5,7 +5,7 @@
<description>Collabora Online allows you to to work with all kinds of office documents directly in your browser. This application requires Collabora Cloudsuite to be installed on one of your servers, please read the documentation to learn more about that.</description>
<summary>Edit office documents directly in your browser.</summary>
<licence>AGPL</licence>
<version>1.1.10</version>
<version>1.1.11</version>
<author>Collabora Productivity based on work of Frank Karlitschek, Victor Dubiniuk</author>
<bugs>https://github.com/owncloud/richdocuments/issues</bugs>
<repository type="git">https://github.com/owncloud/richdocuments.git</repository>

7
controller/documentcontroller.php
View File

@ -503,7 +503,8 @@ class DocumentController extends Controller {
\OC::$server->getLogger()->debug('File with {fileid} has updatable set to {updatable}', [ 'app' => $this->appName, 'fileid' => $fileId, 'updatable' => $updatable ]);
$row = new Db\Wopi();
$token = $row->generateFileToken($fileId, $version, $updatable);
$serverHost = $this->request->getServerProtocol() . '://' . $this->request->getServerHost();
$token = $row->generateFileToken($fileId, $version, $updatable, $serverHost);
// Return the token.
return array(
@ -543,7 +544,6 @@ class DocumentController extends Controller {
$this->loginUser($res['owner']);
$view = new \OC\Files\View('/' . $res['owner'] . '/files');
$info = $view->getFileInfo($res['path']);
$this->logoutUser();
if (!$info) {
@ -558,7 +558,8 @@ class DocumentController extends Controller {
'Version' => $version,
'UserId' => $res['editor'],
'UserFriendlyName' => $editorName,
'UserCanWrite' => $res['canwrite'] ? 'true' : 'false'
'UserCanWrite' => $res['canwrite'] ? 'true' : 'false',
'PostMessageOrigin' => $res['server_host']
);
}

46
js/documents.js
View File

@ -473,23 +473,49 @@ var documentsMain = {
$('#mainContainer').append(form);
$('#mainContainer').append(frame);
// handler for the 'Close' button - we have enabled it via closebutton=1
// Listen for App_LoadingStatus as soon as possible
$('#loleafletframe').ready(function() {
var editorInitListener = function(e) {
var msg = JSON.parse(e.data);
if (msg.MessageId === 'App_LoadingStatus') {
window.removeEventListener('message', editorInitListener, false);
}
};
window.addEventListener('message', editorInitListener, false);
});
$('#loleafletframe').load(function(){
documentsMain.overlay.documentOverlay('hide');
// And start listening to incoming post messages
window.addEventListener('message', function(e){
if (documentsMain.isViewerMode) {
return;
}
if (e.data === 'close') {
try {
var msg = JSON.parse(e.data).MessageId;
} catch(exc) {
msg = e.data;
}
if (msg === 'UI_Close' || msg === 'close') {
documentsMain.onClose();
} else if (e.data === 'rev-history') {
} else if (msg === 'rev-history') {
documentsMain.UI.showRevHistory($('li[data-id=' + documentsMain.fileId + ']>a').attr('original-title'));
}
});
// Tell the LOOL iframe that we are ready now
documentsMain.WOPIPostMessage($('#loleafletframe')[0], 'Host_PostmessageReady', {});
// LOOL Iframe is ready, turn off our overlay
// This should ideally be taken off when we receive App_LoadingStatus, but
// for backward compatibility with older lool, lets keep it here till we decide
// to break older lools
documentsMain.overlay.documentOverlay('hide');
});
// submit that
$('#loleafletform').submit();
});
},
@ -586,6 +612,18 @@ var documentsMain = {
documentsMain.ready = true;
},
WOPIPostMessage: function(iframe, msgId, values) {
if (iframe) {
var msg = {
'MessageId': msgId,
'SendTime': Date.now(),
'Values': values
};
iframe.contentWindow.postMessage(JSON.stringify(msg), '*');
}
},
prepareSession : function(){
documentsMain.isEditorMode = true;
documentsMain.overlay.documentOverlay('show');

10
lib/db/wopi.php
View File

@ -29,8 +29,8 @@ class Wopi extends \OCA\Richdocuments\Db{
protected $tableName = '`*PREFIX*richdocuments_wopi`';
protected $insertStatement = 'INSERT INTO `*PREFIX*richdocuments_wopi` (`owner_uid`, `editor_uid`, `fileid`, `version`, `path`, `canwrite`, `token`, `expiry`)
VALUES (?, ?, ?, ?, ?, ?, ?, ?)';
protected $insertStatement = 'INSERT INTO `*PREFIX*richdocuments_wopi` (`owner_uid`, `editor_uid`, `fileid`, `version`, `path`, `canwrite`, `server_host`, `token`, `expiry`)
VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?)';
protected $loadStatement = 'SELECT * FROM `*PREFIX*richdocuments_wopi` WHERE `token`= ?';
@ -41,7 +41,7 @@ class Wopi extends \OCA\Richdocuments\Db{
* its the version number as stored by files_version app
* Returns the token.
*/
public function generateFileToken($fileId, $version, $updatable){
public function generateFileToken($fileId, $version, $updatable, $serverHost){
// Get the FS view of the current user.
$view = \OC\Files\Filesystem::getView();
@ -80,6 +80,7 @@ class Wopi extends \OCA\Richdocuments\Db{
$version,
$path,
$updatable,
$serverHost,
$token,
time() + self::TOKEN_LIFETIME_SECONDS
]);
@ -125,7 +126,8 @@ class Wopi extends \OCA\Richdocuments\Db{
'owner' => $row['owner_uid'],
'editor' => $row['editor_uid'],
'path' => $row['path'],
'canwrite' => $row['canwrite']
'canwrite' => $row['canwrite'],
'server_host' => $row['server_host']
);
}
}