Skip to content

Commit

Permalink
Disable link shares of disabled users
Browse files Browse the repository at this point in the history
Fixes #10869

Signed-off-by: Roeland Jago Douma <[email protected]>
  • Loading branch information
rullzer committed Feb 7, 2020
1 parent d2d7e37 commit 260892e
Show file tree
Hide file tree
Showing 2 changed files with 146 additions and 6 deletions.
12 changes: 12 additions & 0 deletions apps/files_sharing/lib/Controller/ShareController.php
Original file line number Diff line number Diff line change
Expand Up @@ -271,6 +271,18 @@ protected function emitAccessShareHook($share, $errorCode = 200, $errorMessage =
* @return bool
*/
private function validateShare(\OCP\Share\IShare $share) {
// If the owner is disabled no access to the linke is granted
$owner = $this->userManager->get($share->getShareOwner());
if ($owner === null || !$owner->isEnabled()) {
return false;
}

// If the initiator of the share is disabled no access is granted
$initiator = $this->userManager->get($share->getSharedBy());
if ($initiator === null || !$initiator->isEnabled()) {
return false;
}

return $share->getNode()->isReadable() && $share->getNode()->isShareable();
}

Expand Down
140 changes: 134 additions & 6 deletions apps/files_sharing/tests/Controller/ShareControllerTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@
use OCP\AppFramework\Http\Template\PublicTemplateResponse;
use OCP\AppFramework\Http\Template\SimpleMenuAction;
use OCP\Constants;
use OCP\Files\File;
use OCP\Files\NotFoundException;
use OCP\Files\Storage;
use OCP\IConfig;
Expand Down Expand Up @@ -201,11 +202,17 @@ public function testShowShare() {

$this->shareController->setToken('token');

$owner = $this->getMockBuilder(IUser::class)->getMock();
$owner = $this->createMock(IUser::class);
$owner->method('getDisplayName')->willReturn('ownerDisplay');
$owner->method('getUID')->willReturn('ownerUID');
$owner->method('isEnabled')->willReturn(true);

$file = $this->getMockBuilder('OCP\Files\File')->getMock();
$initiator = $this->createMock(IUser::class);
$initiator->method('getDisplayName')->willReturn('initiatorDisplay');
$initiator->method('getUID')->willReturn('initiatorUID');
$initiator->method('isEnabled')->willReturn(true);

$file = $this->createMock(File::class);
$file->method('getName')->willReturn('file1.txt');
$file->method('getMimetype')->willReturn('text/plain');
$file->method('getSize')->willReturn(33);
Expand All @@ -216,6 +223,7 @@ public function testShowShare() {
$share->setId(42);
$share->setPassword('password')
->setShareOwner('ownerUID')
->setSharedBy('initiatorUID')
->setNode($file)
->setNote($note)
->setTarget('/file1.txt');
Expand Down Expand Up @@ -253,7 +261,15 @@ public function testShowShare() {
->with('core', 'shareapi_public_link_disclaimertext', null)
->willReturn('My disclaimer text');

$this->userManager->method('get')->with('ownerUID')->willReturn($owner);
$this->userManager->method('get')->willReturnCallback(function(string $uid) use ($owner, $initiator) {
if ($uid === 'ownerUID') {
return $owner;
}
if ($uid === 'initiatorUID') {
return $initiator;
}
return null;
});

$this->eventDispatcher->expects($this->once())
->method('dispatch')
Expand Down Expand Up @@ -325,6 +341,12 @@ public function testShowShareHideDownload() {
$owner = $this->getMockBuilder(IUser::class)->getMock();
$owner->method('getDisplayName')->willReturn('ownerDisplay');
$owner->method('getUID')->willReturn('ownerUID');
$owner->method('isEnabled')->willReturn(true);

$initiator = $this->createMock(IUser::class);
$initiator->method('getDisplayName')->willReturn('initiatorDisplay');
$initiator->method('getUID')->willReturn('initiatorUID');
$initiator->method('isEnabled')->willReturn(true);

$file = $this->getMockBuilder('OCP\Files\File')->getMock();
$file->method('getName')->willReturn('file1.txt');
Expand All @@ -337,6 +359,7 @@ public function testShowShareHideDownload() {
$share->setId(42);
$share->setPassword('password')
->setShareOwner('ownerUID')
->setSharedBy('initiatorUID')
->setNode($file)
->setNote($note)
->setTarget('/file1.txt')
Expand Down Expand Up @@ -378,7 +401,15 @@ public function testShowShareHideDownload() {
->with('core', 'shareapi_public_link_disclaimertext', null)
->willReturn('My disclaimer text');

$this->userManager->method('get')->with('ownerUID')->willReturn($owner);
$this->userManager->method('get')->willReturnCallback(function(string $uid) use ($owner, $initiator) {
if ($uid === 'ownerUID') {
return $owner;
}
if ($uid === 'initiatorUID') {
return $initiator;
}
return null;
});

$this->eventDispatcher->expects($this->once())
->method('dispatch')
Expand Down Expand Up @@ -451,6 +482,12 @@ public function testShareFileDrop() {
$owner = $this->getMockBuilder(IUser::class)->getMock();
$owner->method('getDisplayName')->willReturn('ownerDisplay');
$owner->method('getUID')->willReturn('ownerUID');
$owner->method('isEnabled')->willReturn(true);

$initiator = $this->createMock(IUser::class);
$initiator->method('getDisplayName')->willReturn('initiatorDisplay');
$initiator->method('getUID')->willReturn('initiatorUID');
$initiator->method('isEnabled')->willReturn(true);

/* @var MockObject|Storage $storage */
$storage = $this->getMockBuilder(Storage::class)
Expand All @@ -472,6 +509,7 @@ public function testShareFileDrop() {
$share->setId(42);
$share->setPermissions(Constants::PERMISSION_CREATE)
->setShareOwner('ownerUID')
->setSharedBy('initiatorUID')
->setNode($folder)
->setTarget('/fileDrop');

Expand All @@ -481,7 +519,15 @@ public function testShareFileDrop() {
->with('token')
->willReturn($share);

$this->userManager->method('get')->with('ownerUID')->willReturn($owner);
$this->userManager->method('get')->willReturnCallback(function(string $uid) use ($owner, $initiator) {
if ($uid === 'ownerUID') {
return $owner;
}
if ($uid === 'initiatorUID') {
return $initiator;
}
return null;
});

$this->l10n->expects($this->any())
->method('t')
Expand Down Expand Up @@ -535,7 +581,7 @@ public function testShareFileDrop() {
self::assertEquals($expectedResponse, $response);
}


public function testShowShareInvalid() {
$this->expectException(\OCP\Files\NotFoundException::class);

Expand Down Expand Up @@ -604,4 +650,86 @@ public function testDownloadShareWithCreateOnlyShare() {
$expectedResponse = new DataResponse('Share is read-only');
$this->assertEquals($expectedResponse, $response);
}

public function testDisabledOwner() {
$this->shareController->setToken('token');

$owner = $this->getMockBuilder(IUser::class)->getMock();
$owner->method('isEnabled')->willReturn(false);

$initiator = $this->createMock(IUser::class);
$initiator->method('isEnabled')->willReturn(false);

/* @var MockObject|Folder $folder */
$folder = $this->createMock(Folder::class);

$share = \OC::$server->getShareManager()->newShare();
$share->setId(42);
$share->setPermissions(Constants::PERMISSION_CREATE)
->setShareOwner('ownerUID')
->setSharedBy('initiatorUID')
->setNode($folder)
->setTarget('/share');

$this->shareManager
->expects($this->once())
->method('getShareByToken')
->with('token')
->willReturn($share);

$this->userManager->method('get')->willReturnCallback(function(string $uid) use ($owner, $initiator) {
if ($uid === 'ownerUID') {
return $owner;
}
if ($uid === 'initiatorUID') {
return $initiator;
}
return null;
});

$this->expectException(NotFoundException::class);

$this->shareController->showShare();
}

public function testDisabledInitiator() {
$this->shareController->setToken('token');

$owner = $this->getMockBuilder(IUser::class)->getMock();
$owner->method('isEnabled')->willReturn(false);

$initiator = $this->createMock(IUser::class);
$initiator->method('isEnabled')->willReturn(true);

/* @var MockObject|Folder $folder */
$folder = $this->createMock(Folder::class);

$share = \OC::$server->getShareManager()->newShare();
$share->setId(42);
$share->setPermissions(Constants::PERMISSION_CREATE)
->setShareOwner('ownerUID')
->setSharedBy('initiatorUID')
->setNode($folder)
->setTarget('/share');

$this->shareManager
->expects($this->once())
->method('getShareByToken')
->with('token')
->willReturn($share);

$this->userManager->method('get')->willReturnCallback(function(string $uid) use ($owner, $initiator) {
if ($uid === 'ownerUID') {
return $owner;
}
if ($uid === 'initiatorUID') {
return $initiator;
}
return null;
});

$this->expectException(NotFoundException::class);

$this->shareController->showShare();
}
}

0 comments on commit 260892e

Please sign in to comment.