Merge pull request #4631 from owncloud/wopi-public-shares

fix wopi access to publicly shared files
owncloud · Sep 22, 2022 · 91c2dad · 91c2dad
2 parents 131988a + 20026fa
commit 91c2dad
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 4 deletions.
diff --git a/changelog/unreleased/wopi-public-share.md b/changelog/unreleased/wopi-public-share.md
@@ -0,0 +1,6 @@
+Bugfix: Fix wopi access to public shares
+
+I've added a request check to the public share authenticator middleware to allow wopi to access public shares.
+
+https://github.com/owncloud/ocis/pull/4631
+https://github.com/owncloud/ocis/issues/4382
diff --git a/go.mod b/go.mod
@@ -12,7 +12,7 @@ require (
 	github.com/blevesearch/bleve_index_api v1.0.3
 	github.com/coreos/go-oidc/v3 v3.4.0
 	github.com/cs3org/go-cs3apis v0.0.0-20220818202316-e92afdddac6d
-	github.com/cs3org/reva/v2 v2.10.1-0.20220921105358-a098879574c0
+	github.com/cs3org/reva/v2 v2.10.1-0.20220921203558-038b633f66ad
 	github.com/disintegration/imaging v1.6.2
 	github.com/ggwhite/go-masker v1.0.9
 	github.com/go-chi/chi/v5 v5.0.7

diff --git a/go.sum b/go.sum
@@ -292,8 +292,8 @@ github.com/crewjam/saml v0.4.6 h1:XCUFPkQSJLvzyl4cW9OvpWUbRf0gE7VUpU8ZnilbeM4=
 github.com/crewjam/saml v0.4.6/go.mod h1:ZBOXnNPFzB3CgOkRm7Nd6IVdkG+l/wF+0ZXLqD96t1A=
 github.com/cs3org/go-cs3apis v0.0.0-20220818202316-e92afdddac6d h1:toyZ7IsXlUdEPZ/IG8fg7hbM8HcLPY0bkX4FKBmgLVI=
 github.com/cs3org/go-cs3apis v0.0.0-20220818202316-e92afdddac6d/go.mod h1:UXha4TguuB52H14EMoSsCqDj7k8a/t7g4gVP+bgY5LY=
-github.com/cs3org/reva/v2 v2.10.1-0.20220921105358-a098879574c0 h1:imOxcw4kha2WlNGOyBN7FbiAL4zQSlrdeqaNh5ZbeJ4=
-github.com/cs3org/reva/v2 v2.10.1-0.20220921105358-a098879574c0/go.mod h1:+BYVpRV8g1hL8wF3+3BunL9BKPsXVyJYmH8COxq/V7Y=
+github.com/cs3org/reva/v2 v2.10.1-0.20220921203558-038b633f66ad h1:ug56A+3gPrzBaR1hyKj93vJ+CSZjMx80I8WBourC3a0=
+github.com/cs3org/reva/v2 v2.10.1-0.20220921203558-038b633f66ad/go.mod h1:+BYVpRV8g1hL8wF3+3BunL9BKPsXVyJYmH8COxq/V7Y=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8 h1:Z9lwXumT5ACSmJ7WGnFl+OMLLjpz5uR2fyz7dC255FI=
 github.com/cubewise-code/go-mime v0.0.0-20200519001935-8c5762b177d8/go.mod h1:4abs/jPXcmJzYoYGF91JF9Uq9s/KL5n1jvFDix8KcqY=
 github.com/cyberdelia/templates v0.0.0-20141128023046-ca7fffd4298c/go.mod h1:GyV+0YP4qX0UQ7r2MoYZ+AvYDp12OF5yg4q8rGnyNh4=

diff --git a/services/proxy/pkg/middleware/public_share_auth.go b/services/proxy/pkg/middleware/public_share_auth.go
@@ -38,9 +38,18 @@ func isPublicShareArchive(r *http.Request) bool {
 	return false
 }
 
+// The app open requests can be made in public share contexts. For that the PublicShareAuthenticator needs to
+// augment the request context.
+// The app open requests can also be made in authenticated context. In these cases the PublicShareAuthenticator
+// needs to ignore the request.
+func isPublicShareAppOpen(r *http.Request) bool {
+	return strings.HasPrefix(r.URL.Path, "/app/open") &&
+		(r.URL.Query().Get(headerShareToken) != "" || r.Header.Get(headerShareToken) != "")
+}
+
 // Authenticate implements the authenticator interface to authenticate requests via public share auth.
 func (a PublicShareAuthenticator) Authenticate(r *http.Request) (*http.Request, bool) {
-	if !isPublicPath(r.URL.Path) && !isPublicShareArchive(r) {
+	if !isPublicPath(r.URL.Path) && !isPublicShareArchive(r) && !isPublicShareAppOpen(r) {
 		return nil, false
 	}