Merge pull request #9299 from dragonchaser/thumbnailer-respect-secure…

…-view Thumbnailer respect secure view
owncloud · Jun 4, 2024 · b3db135 · b3db135
2 parents e1dcf47 + a145c36
commit b3db135
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 24 deletions.
diff --git a/changelog/unreleased/prevent-thumbnailer-from-showing-secureview-previews.md b/changelog/unreleased/prevent-thumbnailer-from-showing-secureview-previews.md
@@ -0,0 +1,6 @@
+Bugfix: Don't show thumbnails for secureview shares
+
+We have fixed a bug where thumbnails were shown for secureview shares.
+
+https://github.com/owncloud/ocis/pull/9299
+https://github.com/owncloud/ocis/issues/9249
diff --git a/services/thumbnails/pkg/service/grpc/v0/service.go b/services/thumbnails/pkg/service/grpc/v0/service.go
@@ -116,11 +116,10 @@ func (g Thumbnail) GetThumbnail(ctx context.Context, req *thumbnailssvc.GetThumb
 	return nil
 }
 
-func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetThumbnailRequest) (string, error) {
-	src := req.GetCs3Source()
-	sRes, err := g.stat(src.GetPath(), src.GetAuthorization())
-	if err != nil {
-		return "", err
+func (g Thumbnail) checkThumbnail(req *thumbnailssvc.GetThumbnailRequest, sRes *provider.StatResponse) (thumbnail.Request, error) {
+	tr := thumbnail.Request{}
+	if !sRes.GetInfo().GetPermissionSet().GetInitiateFileDownload() {
+		return tr, merrors.Forbidden(g.serviceID, "no download permission")
 	}
 
 	tType := thumbnail.GetExtForMime(sRes.GetInfo().GetMimeType())
@@ -129,11 +128,25 @@ func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetTh
 	}
 	tr, err := thumbnail.PrepareRequest(int(req.GetWidth()), int(req.GetHeight()), tType, sRes.GetInfo().GetChecksum().GetSum(), req.GetProcessor())
 	if err != nil {
-		return "", merrors.BadRequest(g.serviceID, err.Error())
+		return tr, merrors.BadRequest(g.serviceID, err.Error())
+	}
+
+	if _, exists := g.manager.CheckThumbnail(tr); exists {
+		return tr, nil
+	}
+	return tr, nil
+}
+
+func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetThumbnailRequest) (string, error) {
+	src := req.GetCs3Source()
+	sRes, err := g.stat(src.GetPath(), src.GetAuthorization())
+	if err != nil {
+		return "", err
 	}
 
-	if key, exists := g.manager.CheckThumbnail(tr); exists {
-		return key, nil
+	tr, err := g.checkThumbnail(req, sRes)
+	if err != nil {
+		return "", err
 	}
 
 	ctx = imgsource.ContextSetAuthorization(ctx, src.GetAuthorization())
@@ -206,19 +219,10 @@ func (g Thumbnail) handleWebdavSource(ctx context.Context, req *thumbnailssvc.Ge
 		return "", err
 	}
 
-	tType := thumbnail.GetExtForMime(sRes.GetInfo().GetMimeType())
-	if tType == "" {
-		tType = req.GetThumbnailType().String()
-	}
-	tr, err := thumbnail.PrepareRequest(int(req.GetWidth()), int(req.GetHeight()), tType, sRes.GetInfo().GetChecksum().GetSum(), req.GetProcessor())
+	tr, err := g.checkThumbnail(req, sRes)
 	if err != nil {
-		return "", merrors.BadRequest(g.serviceID, err.Error())
-	}
-
-	if key, exists := g.manager.CheckThumbnail(tr); exists {
-		return key, nil
+		return "", err
 	}
-
 	if src.GetWebdavAuthorization() != "" {
 		ctx = imgsource.ContextSetAuthorization(ctx, src.GetWebdavAuthorization())
 	}

diff --git a/services/webdav/pkg/service/v0/service.go b/services/webdav/pkg/service/v0/service.go
@@ -33,11 +33,6 @@ import (
 	"github.com/owncloud/ocis/v2/services/webdav/pkg/dav/requests"
 )
 
-func init() {
-	// register method with chi before any routing is set up
-	chi.RegisterMethod("REPORT")
-}
-
 var (
 	codesEnum = map[int]string{
 		http.StatusBadRequest:       "Sabre\\DAV\\Exception\\BadRequest",
@@ -94,6 +89,10 @@ func NewService(opts ...Option) (Service, error) {
 	if svc.config.DisablePreviews {
 		svc.thumbnailsClient = nil
 	}
+
+	// register method with chi before any routing is set up
+	chi.RegisterMethod("REPORT")
+
 	m.Route(options.Config.HTTP.Root, func(r chi.Router) {
 
 		if !svc.config.DisablePreviews {
@@ -261,6 +260,8 @@ func (g Webdav) SpacesThumbnail(w http.ResponseWriter, r *http.Request) {
 			return
 		case http.StatusBadRequest:
 			renderError(w, r, errBadRequest(e.Detail))
+		case http.StatusForbidden:
+			renderError(w, r, errPermissionDenied(e.Detail))
 		default:
 			renderError(w, r, errInternalError(err.Error()))
 		}
@@ -354,6 +355,8 @@ func (g Webdav) Thumbnail(w http.ResponseWriter, r *http.Request) {
 			return
 		case http.StatusBadRequest:
 			renderError(w, r, errBadRequest(e.Detail))
+		case http.StatusForbidden:
+			renderError(w, r, errPermissionDenied(e.Detail))
 		default:
 			renderError(w, r, errInternalError(err.Error()))
 		}
@@ -531,6 +534,10 @@ func errBadRequest(msg string) *errResponse {
 	return newErrResponse(http.StatusBadRequest, msg)
 }
 
+func errPermissionDenied(msg string) *errResponse {
+	return newErrResponse(http.StatusForbidden, msg)
+}
+
 func errNotFound(msg string) *errResponse {
 	return newErrResponse(http.StatusNotFound, msg)
 }