From aeac7eaffd2e2fe6e280b5f5141ba0afe56f1d50 Mon Sep 17 00:00:00 2001
From: Roman Perekhod <rperekhod@owncloud.com>
Date: Thu, 15 Feb 2024 23:14:19 +0100
Subject: [PATCH] [full-ci] fix an error when lock/unlock a file

---
 changelog/unreleased/fix-public-link-lock.md   |  6 ++++++
 internal/http/services/owncloud/ocdav/locks.go | 10 ++++++++++
 2 files changed, 16 insertions(+)
 create mode 100644 changelog/unreleased/fix-public-link-lock.md

diff --git a/changelog/unreleased/fix-public-link-lock.md b/changelog/unreleased/fix-public-link-lock.md
new file mode 100644
index 00000000000..42a53432446
--- /dev/null
+++ b/changelog/unreleased/fix-public-link-lock.md
@@ -0,0 +1,6 @@
+Bugfix: Fix an error when lock/unlock a file
+
+We fixed a bug when anonymous user with viewer role in public link of a folder can lock/unlock a file inside it
+
+https://github.com/cs3org/reva/pull/4518  
+https://github.com/owncloud/ocis/issues/7785  
diff --git a/internal/http/services/owncloud/ocdav/locks.go b/internal/http/services/owncloud/ocdav/locks.go
index 332b9d22760..63c35449d6d 100644
--- a/internal/http/services/owncloud/ocdav/locks.go
+++ b/internal/http/services/owncloud/ocdav/locks.go
@@ -39,6 +39,7 @@ import (
 	"github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/prop"
 	"github.com/cs3org/reva/v2/internal/http/services/owncloud/ocdav/spacelookup"
 	"github.com/cs3org/reva/v2/pkg/appctx"
+	"github.com/cs3org/reva/v2/pkg/conversions"
 	ctxpkg "github.com/cs3org/reva/v2/pkg/ctx"
 	"github.com/cs3org/reva/v2/pkg/errtypes"
 	"github.com/cs3org/reva/v2/pkg/rgrpc/todo/pool"
@@ -241,6 +242,10 @@ func (cls *cs3LS) Refresh(ctx context.Context, now time.Time, token string, dura
 }
 func (cls *cs3LS) Unlock(ctx context.Context, now time.Time, ref *provider.Reference, token string) error {
 	u := ctxpkg.ContextMustGetUser(ctx)
+	psr := utils.ReadPlainFromOpaque(u.Opaque, "public-share-role")
+	if psr != "" && psr != conversions.RoleEditor {
+		return errors.ErrForbidden
+	}
 
 	r := &provider.UnlockRequest{
 		Ref: ref,
@@ -453,6 +458,11 @@ func (s *svc) lockReference(ctx context.Context, w http.ResponseWriter, r *http.
 	}
 
 	u := ctxpkg.ContextMustGetUser(ctx)
+	psr := utils.ReadPlainFromOpaque(u.Opaque, "public-share-role")
+	if psr != "" && psr != conversions.RoleEditor {
+		return http.StatusForbidden, errors.ErrForbidden
+	}
+
 	token, now, created := "", time.Now(), false
 	ld := LockDetails{UserID: u.Id, Root: ref, Duration: duration, OwnerName: u.GetDisplayName(), Locktime: now}
 	if li == (lockInfo{}) {