mirror/opencloud
1
0
Fork 0
mirror of https://github.com/opencloud-eu/opencloud.git synced 2026-01-07 12:50:21 -06:00
Code Issues Packages Projects Releases Wiki Activity

fix(activitylog): forbid sharees access to activities

Browse Source 
Signed-off-by: jkoberg <jkoberg@owncloud.com>
This commit is contained in:
jkoberg
2024-09-23 15:01:14 +02:00
parent b3e5d80306
commit e2e80326fd
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
changelog/unreleased/forbid-activities-for-sharees.md Normal file
View File

@@ -0,0 +1,5 @@
Bugfix: Forbid Activities for Sharees
Sharees may not see item activities. We now bind it to ListGrants permission.
https://github.com/owncloud/ocis/pull/10136

8
services/activitylog/pkg/service/http.go
View File

@@ -67,12 +67,18 @@ func (s *ActivitylogService) HandleGetItemActivities(w http.ResponseWriter, r *h
return
}
_, err = utils.GetResourceByID(ctx, rid, gwc)
info, err := utils.GetResourceByID(ctx, rid, gwc)
if err != nil {
w.WriteHeader(http.StatusForbidden)
return
}
// you need ListGrants to see activities
if !info.GetPermissionSet().GetListGrants() {
w.WriteHeader(http.StatusForbidden)
return
}
raw, err := s.Activities(rid)
if err != nil {
s.log.Error().Err(err).Msg("error getting activities")