mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-03-05 04:20:52 -06:00
Code Issues Packages Projects Releases Wiki Activity

return badrequest when exporting gdpr for other user

Browse Source 
Signed-off-by: jkoberg <jkoberg@owncloud.com>
This commit is contained in:
jkoberg
2023-04-24 12:14:19 +02:00
parent 6ad31f113b
commit 8f5c255225
2 changed files with 12 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
changelog/unreleased/bad-request-on-gdpr-endpoint.md Normal file
View File

@@ -0,0 +1,5 @@
Enhancement: Return Bad Request when requesting GDPR export for another user
This is an enhancement, not security related as the requested uid is never used
https://github.com/owncloud/ocis/pull/6123

7
services/graph/pkg/service/v0/personaldata.go
View File

@@ -19,6 +19,7 @@ import (
"github.com/cs3org/reva/v2/pkg/events"
"github.com/cs3org/reva/v2/pkg/rhttp"
"github.com/cs3org/reva/v2/pkg/utils"
"github.com/go-chi/chi/v5"
ehmsg "github.com/owncloud/ocis/v2/protogen/gen/ocis/messages/eventhistory/v0"
ehsvc "github.com/owncloud/ocis/v2/protogen/gen/ocis/services/eventhistory/v0"
)
@@ -42,6 +43,12 @@ type ExportPersonalDataRequest struct {
func (g Graph) ExportPersonalData(w http.ResponseWriter, r *http.Request) {
ctx := r.Context()
u := revactx.ContextMustGetUser(ctx)
if reqUserID := chi.URLParam(r, "userID"); reqUserID != u.GetId().GetOpaqueId() {
g.logger.Info().Msg("uid mismatch")
w.WriteHeader(http.StatusBadRequest)
_, _ = w.Write([]byte("personal data export for other users are not permitted"))
return
}
// Get location from request
loc := getLocation(r)