Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Thumbnailer respect secure view #9299

Merged
merged 5 commits into from
Jun 4, 2024
Merged

Thumbnailer respect secure view #9299

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
288203b
Map HTTP 403 error correctly.
dragonchaser May 29, 2024
1012a39
Don't show thumbnails for secureview shares
dragonchaser Jun 3, 2024
4d6cbdf
Move chi HTTP-Method registering into the NewService func
dragonchaser Jun 3, 2024
db308be
try to remove code duplications
dragonchaser Jun 4, 2024
a145c36
remove obsolete var
dragonchaser Jun 4, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions changelog/unreleased/prevent-thumbnailer-from-showing-secureview-previews.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
Bugfix: Don't show thumbnails for secureview shares

We have fixed a bug where thumbnails were shown for secureview shares.

https://github.com/owncloud/ocis/pull/9299
https://github.com/owncloud/ocis/issues/9249
42 changes: 23 additions & 19 deletions services/thumbnails/pkg/service/grpc/v0/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -116,11 +116,10 @@ func (g Thumbnail) GetThumbnail(ctx context.Context, req *thumbnailssvc.GetThumb
return nil
}

func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetThumbnailRequest) (string, error) {
src := req.GetCs3Source()
sRes, err := g.stat(src.GetPath(), src.GetAuthorization())
if err != nil {
return "", err
func (g Thumbnail) checkThumbnail(req *thumbnailssvc.GetThumbnailRequest, sRes *provider.StatResponse) (thumbnail.Request, error) {
tr := thumbnail.Request{}
if !sRes.GetInfo().GetPermissionSet().GetInitiateFileDownload() {
return tr, merrors.Forbidden(g.serviceID, "no download permission")
}

tType := thumbnail.GetExtForMime(sRes.GetInfo().GetMimeType())
Expand All @@ -129,11 +128,25 @@ func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetTh
}
tr, err := thumbnail.PrepareRequest(int(req.GetWidth()), int(req.GetHeight()), tType, sRes.GetInfo().GetChecksum().GetSum(), req.GetProcessor())
if err != nil {
return "", merrors.BadRequest(g.serviceID, err.Error())
return tr, merrors.BadRequest(g.serviceID, err.Error())
}

if _, exists := g.manager.CheckThumbnail(tr); exists {
return tr, nil
}
return tr, nil
}

func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetThumbnailRequest) (string, error) {
src := req.GetCs3Source()
sRes, err := g.stat(src.GetPath(), src.GetAuthorization())
if err != nil {
return "", err
}

if key, exists := g.manager.CheckThumbnail(tr); exists {
return key, nil
tr, err := g.checkThumbnail(req, sRes)
if err != nil {
return "", err
}

ctx = imgsource.ContextSetAuthorization(ctx, src.GetAuthorization())
Expand Down Expand Up @@ -206,19 +219,10 @@ func (g Thumbnail) handleWebdavSource(ctx context.Context, req *thumbnailssvc.Ge
return "", err
}

tType := thumbnail.GetExtForMime(sRes.GetInfo().GetMimeType())
if tType == "" {
tType = req.GetThumbnailType().String()
}
tr, err := thumbnail.PrepareRequest(int(req.GetWidth()), int(req.GetHeight()), tType, sRes.GetInfo().GetChecksum().GetSum(), req.GetProcessor())
tr, err := g.checkThumbnail(req, sRes)
if err != nil {
return "", merrors.BadRequest(g.serviceID, err.Error())
}

if key, exists := g.manager.CheckThumbnail(tr); exists {
return key, nil
return "", err
}

if src.GetWebdavAuthorization() != "" {
ctx = imgsource.ContextSetAuthorization(ctx, src.GetWebdavAuthorization())
}
Expand Down
17 changes: 12 additions & 5 deletions services/webdav/pkg/service/v0/service.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,11 +33,6 @@ import (
"github.com/owncloud/ocis/v2/services/webdav/pkg/dav/requests"
)

func init() {
// register method with chi before any routing is set up
chi.RegisterMethod("REPORT")
}

var (
codesEnum = map[int]string{
http.StatusBadRequest: "Sabre\\DAV\\Exception\\BadRequest",
Expand Down Expand Up @@ -94,6 +89,10 @@ func NewService(opts ...Option) (Service, error) {
if svc.config.DisablePreviews {
svc.thumbnailsClient = nil
}

// register method with chi before any routing is set up
chi.RegisterMethod("REPORT")

m.Route(options.Config.HTTP.Root, func(r chi.Router) {

if !svc.config.DisablePreviews {
Expand Down Expand Up @@ -261,6 +260,8 @@ func (g Webdav) SpacesThumbnail(w http.ResponseWriter, r *http.Request) {
return
case http.StatusBadRequest:
renderError(w, r, errBadRequest(e.Detail))
case http.StatusForbidden:
renderError(w, r, errPermissionDenied(e.Detail))
default:
renderError(w, r, errInternalError(err.Error()))
}
Expand Down Expand Up @@ -354,6 +355,8 @@ func (g Webdav) Thumbnail(w http.ResponseWriter, r *http.Request) {
return
case http.StatusBadRequest:
renderError(w, r, errBadRequest(e.Detail))
case http.StatusForbidden:
renderError(w, r, errPermissionDenied(e.Detail))
default:
renderError(w, r, errInternalError(err.Error()))
}
Expand Down Expand Up @@ -531,6 +534,10 @@ func errBadRequest(msg string) *errResponse {
return newErrResponse(http.StatusBadRequest, msg)
}

func errPermissionDenied(msg string) *errResponse {
return newErrResponse(http.StatusForbidden, msg)
}

func errNotFound(msg string) *errResponse {
return newErrResponse(http.StatusNotFound, msg)
}
Expand Down