Merge pull request #50880 from nextcloud/backport/50873/stable31

AndyScherzinger · web-flow · commit f0a229c92f94 · 2025-02-19T20:45:17.000+01:00
[stable31] fix(files_sharing): block downloading if needed
diff --git a/apps/files_sharing/lib/Controller/ShareController.php b/apps/files_sharing/lib/Controller/ShareController.php
@@ -359,6 +359,11 @@ public function downloadShare($token, $files = null, $path = '') {
 			return new DataResponse('Share has no read permission');
 		}
 
+		$attributes = $share->getAttributes();
+		if ($attributes?->getAttribute('permissions', 'download') === false) {
+			return new DataResponse('Share has no download permission');
+		}
+
 		if (!$this->validateShare($share)) {
 			throw new NotFoundException();
 		}
diff --git a/apps/files_sharing/tests/Controller/ShareControllerTest.php b/apps/files_sharing/tests/Controller/ShareControllerTest.php
@@ -42,6 +42,7 @@
 use OCP\Security\ISecureRandom;
 use OCP\Server;
 use OCP\Share\Exceptions\ShareNotFound;
+use OCP\Share\IAttributes;
 use OCP\Share\IPublicShareTemplateFactory;
 use OCP\Share\IShare;
 use PHPUnit\Framework\MockObject\MockObject;
@@ -690,6 +691,34 @@ public function testDownloadShareWithCreateOnlyShare(): void {
 		$this->assertEquals($expectedResponse, $response);
 	}
 
+	public function testDownloadShareWithoutDownloadPermission(): void {
+		$attributes = $this->createMock(IAttributes::class);
+		$attributes->expects(self::once())
+			->method('getAttribute')
+			->with('permissions', 'download')
+			->willReturn(false);
+
+		$share = $this->createMock(IShare::class);
+		$share->method('getPassword')->willReturn('password');
+		$share->expects(self::once())
+			->method('getPermissions')
+			->willReturn(Constants::PERMISSION_READ);
+		$share->expects(self::once())
+			->method('getAttributes')
+			->willReturn($attributes);
+
+		$this->shareManager
+			->expects(self::once())
+			->method('getShareByToken')
+			->with('validtoken')
+			->willReturn($share);
+
+		// Test with a password protected share and no authentication
+		$response = $this->shareController->downloadShare('validtoken');
+		$expectedResponse = new DataResponse('Share has no download permission');
+		$this->assertEquals($expectedResponse, $response);
+	}
+
 	public function testDisabledOwner(): void {
 		$this->shareController->setToken('token');
 

Original file line number	Diff line number	Diff line change
`@@ -359,6 +359,11 @@ public function downloadShare($token, $files = null, $path = '') {`
`359`	`359`	`return new DataResponse('Share has no read permission');`
`360`	`360`	`}`
`361`	`361`
	`362`	`+ $attributes = $share->getAttributes();`
	`363`	`+ if ($attributes?->getAttribute('permissions', 'download') === false) {`
	`364`	`+ return new DataResponse('Share has no download permission');`
	`365`	`+ }`
	`366`	`+`
`362`	`367`	`if (!$this->validateShare($share)) {`
`363`	`368`	`throw new NotFoundException();`
`364`	`369`	`}`