diff --git a/changelog/unreleased/prevent-thumbnailer-from-showing-secureview-previews.md b/changelog/unreleased/prevent-thumbnailer-from-showing-secureview-previews.md new file mode 100644 index 0000000000..686bd6ea90 --- /dev/null +++ b/changelog/unreleased/prevent-thumbnailer-from-showing-secureview-previews.md @@ -0,0 +1,6 @@ +Bugfix: Don't show thumbnails for secureview shares + +We have fixed a bug where thumbnails were shown for secureview shares. + +https://github.com/owncloud/ocis/pull/9299 +https://github.com/owncloud/ocis/issues/9249 diff --git a/services/thumbnails/pkg/service/grpc/v0/service.go b/services/thumbnails/pkg/service/grpc/v0/service.go index 5982b1ca40..7049064b70 100644 --- a/services/thumbnails/pkg/service/grpc/v0/service.go +++ b/services/thumbnails/pkg/service/grpc/v0/service.go @@ -116,11 +116,10 @@ func (g Thumbnail) GetThumbnail(ctx context.Context, req *thumbnailssvc.GetThumb return nil } -func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetThumbnailRequest) (string, error) { - src := req.GetCs3Source() - sRes, err := g.stat(src.GetPath(), src.GetAuthorization()) - if err != nil { - return "", err +func (g Thumbnail) checkThumbnail(req *thumbnailssvc.GetThumbnailRequest, sRes *provider.StatResponse) (thumbnail.Request, error) { + tr := thumbnail.Request{} + if !sRes.GetInfo().GetPermissionSet().GetInitiateFileDownload() { + return tr, merrors.Forbidden(g.serviceID, "no download permission") } tType := thumbnail.GetExtForMime(sRes.GetInfo().GetMimeType()) @@ -129,11 +128,25 @@ func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetTh } tr, err := thumbnail.PrepareRequest(int(req.GetWidth()), int(req.GetHeight()), tType, sRes.GetInfo().GetChecksum().GetSum(), req.GetProcessor()) if err != nil { - return "", merrors.BadRequest(g.serviceID, err.Error()) + return tr, merrors.BadRequest(g.serviceID, err.Error()) } - if key, exists := g.manager.CheckThumbnail(tr); exists { - return key, nil + if _, exists := g.manager.CheckThumbnail(tr); exists { + return tr, nil + } + return tr, nil +} + +func (g Thumbnail) handleCS3Source(ctx context.Context, req *thumbnailssvc.GetThumbnailRequest) (string, error) { + src := req.GetCs3Source() + sRes, err := g.stat(src.GetPath(), src.GetAuthorization()) + if err != nil { + return "", err + } + + tr, err := g.checkThumbnail(req, sRes) + if err != nil { + return "", err } ctx = imgsource.ContextSetAuthorization(ctx, src.GetAuthorization()) @@ -206,19 +219,10 @@ func (g Thumbnail) handleWebdavSource(ctx context.Context, req *thumbnailssvc.Ge return "", err } - tType := thumbnail.GetExtForMime(sRes.GetInfo().GetMimeType()) - if tType == "" { - tType = req.GetThumbnailType().String() - } - tr, err := thumbnail.PrepareRequest(int(req.GetWidth()), int(req.GetHeight()), tType, sRes.GetInfo().GetChecksum().GetSum(), req.GetProcessor()) + tr, err := g.checkThumbnail(req, sRes) if err != nil { - return "", merrors.BadRequest(g.serviceID, err.Error()) + return "", err } - - if key, exists := g.manager.CheckThumbnail(tr); exists { - return key, nil - } - if src.GetWebdavAuthorization() != "" { ctx = imgsource.ContextSetAuthorization(ctx, src.GetWebdavAuthorization()) } diff --git a/services/webdav/pkg/service/v0/service.go b/services/webdav/pkg/service/v0/service.go index ad91475272..3e61be951d 100644 --- a/services/webdav/pkg/service/v0/service.go +++ b/services/webdav/pkg/service/v0/service.go @@ -33,11 +33,6 @@ import ( "github.com/owncloud/ocis/v2/services/webdav/pkg/dav/requests" ) -func init() { - // register method with chi before any routing is set up - chi.RegisterMethod("REPORT") -} - var ( codesEnum = map[int]string{ http.StatusBadRequest: "Sabre\\DAV\\Exception\\BadRequest", @@ -94,6 +89,10 @@ func NewService(opts ...Option) (Service, error) { if svc.config.DisablePreviews { svc.thumbnailsClient = nil } + + // register method with chi before any routing is set up + chi.RegisterMethod("REPORT") + m.Route(options.Config.HTTP.Root, func(r chi.Router) { if !svc.config.DisablePreviews { @@ -261,6 +260,8 @@ func (g Webdav) SpacesThumbnail(w http.ResponseWriter, r *http.Request) { return case http.StatusBadRequest: renderError(w, r, errBadRequest(e.Detail)) + case http.StatusForbidden: + renderError(w, r, errPermissionDenied(e.Detail)) default: renderError(w, r, errInternalError(err.Error())) } @@ -354,6 +355,8 @@ func (g Webdav) Thumbnail(w http.ResponseWriter, r *http.Request) { return case http.StatusBadRequest: renderError(w, r, errBadRequest(e.Detail)) + case http.StatusForbidden: + renderError(w, r, errPermissionDenied(e.Detail)) default: renderError(w, r, errInternalError(err.Error())) } @@ -531,6 +534,10 @@ func errBadRequest(msg string) *errResponse { return newErrResponse(http.StatusBadRequest, msg) } +func errPermissionDenied(msg string) *errResponse { + return newErrResponse(http.StatusForbidden, msg) +} + func errNotFound(msg string) *errResponse { return newErrResponse(http.StatusNotFound, msg) }