Skip to content

Commit

Permalink
Fix nested resource check for publicly shared space root
Browse files Browse the repository at this point in the history
The 'Path' returned as part of the ResourceInfo from a Stat call might
be relative. So we need to Use 'GetPath()' to lookup the full path of
the parent. Otherwise the simple 'HasPrefix' check for whether a file a
ancestor might fail.

Co-Authored-By: Christian Richter <[email protected]>
  • Loading branch information
rhafer and dragonchaser committed Apr 16, 2024
1 parent ea8ee61 commit 3919a3e
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 2 deletions.
7 changes: 7 additions & 0 deletions changelog/unreleased/fix_public_share_space_root.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
Bugfix: Fix access to files withing a public link targeting a space root

We fixed an issue that prevented users from opening documents within a public share
that targets a space root.

https://github.com/cs3org/reva/pull/4632/
https://github.com/owncloud/ocis/issues/8691
12 changes: 10 additions & 2 deletions internal/grpc/interceptors/auth/scope.go
Original file line number Diff line number Diff line change
Expand Up @@ -264,7 +264,15 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
if statResponse.Status.Code != rpc.Code_CODE_OK {
return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor")
}
parentPath := statResponse.Info.Path

pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: statResponse.GetInfo().GetId()})
if err != nil {
return false, err
}
if pathResp.Status.Code != rpc.Code_CODE_OK {
return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor")
}
parentPath := pathResp.Path

childPath := ref.GetPath()
if childPath != "" && childPath != "." && strings.HasPrefix(childPath, parentPath) {
Expand Down Expand Up @@ -308,7 +316,7 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
if childStat.Status.Code != rpc.Code_CODE_OK {
return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor")
}
pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()})
pathResp, err = client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()})
if err != nil {
return false, err
}
Expand Down

0 comments on commit 3919a3e

Please sign in to comment.