From 27d5b0a718e4bc8447f8cd2c9699c7883324e29e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Mon, 26 Aug 2024 16:25:01 +0200
Subject: [PATCH] fix: Skip disabled download files when requesting assets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Controller/AssetsController.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lib/Controller/AssetsController.php b/lib/Controller/AssetsController.php
index 984bd9ed2f..06eef3eb9e 100644
--- a/lib/Controller/AssetsController.php
+++ b/lib/Controller/AssetsController.php
@@ -23,6 +23,7 @@
 
 namespace OCA\Richdocuments\Controller;
 
+use OCA\Files_Sharing\SharedStorage;
 use OCA\Richdocuments\Db\AssetMapper;
 use OCA\Richdocuments\Service\UserScopeService;
 use OCP\AppFramework\Controller;
@@ -34,6 +35,7 @@
 use OCP\Files\File;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
+use OCP\Files\NotPermittedException;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 
@@ -79,8 +81,24 @@ public function create($path) {
 
 		try {
 			$node = $userFolder->get($path);
+
+			if (!($node instanceof File)) {
+				return new JSONResponse([], Http::STATUS_NOT_FOUND);
+			}
+
+			$storage = $node->getStorage();
+			if ($storage->instanceOfStorage(SharedStorage::class)) {
+				/** @var SharedStorage $storage */
+				$share = $storage->getShare();
+				$attributes = $share->getAttributes();
+				if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+					throw new NotPermittedException();
+				}
+			}
 		} catch (NotFoundException $e) {
 			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+		} catch (NotPermittedException $e) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
 		}
 
 		$asset = $this->assetMapper->newAsset($this->userId, $node->getId());