From bed59dd9fd9227992761d1ddd099fa119f4b7b55 Mon Sep 17 00:00:00 2001 From: jkoberg Date: Wed, 18 Sep 2024 10:22:53 +0200 Subject: [PATCH] fix(activitylog): fix unauthorized activity get Signed-off-by: jkoberg --- changelog/unreleased/fix-acitivity-leak.md | 5 +++++ services/activitylog/pkg/service/http.go | 12 ++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 changelog/unreleased/fix-acitivity-leak.md diff --git a/changelog/unreleased/fix-acitivity-leak.md b/changelog/unreleased/fix-acitivity-leak.md new file mode 100644 index 00000000000..eec8a1aba31 --- /dev/null +++ b/changelog/unreleased/fix-acitivity-leak.md @@ -0,0 +1,5 @@ +Bugfix: Fix Activities leak + +Fix activities endpoint by preventing unauthorized users to get activities + +https://github.com/owncloud/ocis/pull/10092 diff --git a/services/activitylog/pkg/service/http.go b/services/activitylog/pkg/service/http.go index deaebe94658..2c3139e18a9 100644 --- a/services/activitylog/pkg/service/http.go +++ b/services/activitylog/pkg/service/http.go @@ -53,6 +53,12 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h return } + gwc, err := s.gws.Next() + if err != nil { + w.WriteHeader(http.StatusInternalServerError) + return + } + rid, limit, rawActivityAccepted, activityAccepted, sort, err := s.getFilters(r.URL.Query().Get("kql")) if err != nil { s.log.Info().Str("query", r.URL.Query().Get("kql")).Err(err).Msg("error getting filters") @@ -61,6 +67,12 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h return } + _, err = utils.GetResourceByID(ctx, rid, gwc) + if err != nil { + w.WriteHeader(http.StatusForbidden) + return + } + raw, err := s.Activities(rid) if err != nil { s.log.Error().Err(err).Msg("error getting activities")