Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
The table of contents is too big for display.
Diff view
Diff view
  •  
  •  
  •  
2 changes: 1 addition & 1 deletion apps/dav/lib/Connector/LegacyPublicAuth.php
Original file line number Diff line number Diff line change
Expand Up @@ -67,7 +67,7 @@ protected function validateUserPass($username, $password) {
\OC_User::setIncognitoMode(true);

// check if the share is password protected
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
if ($share->getShareType() === IShare::TYPE_LINK
|| $share->getShareType() === IShare::TYPE_EMAIL
|| $share->getShareType() === IShare::TYPE_CIRCLE) {
Expand Down
6 changes: 3 additions & 3 deletions apps/dav/lib/Connector/Sabre/PublicAuth.php
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ public function check(RequestInterface $request, ResponseInterface $response): a
try {
$this->throttler->sleepDelayOrThrowOnMax($this->request->getRemoteAddress(), self::BRUTEFORCE_ACTION);

if (count($_COOKIE) > 0 && !$this->request->passesStrictCookieCheck() && $this->getShare()->getPassword() !== null) {
if (count($_COOKIE) > 0 && !$this->request->passesStrictCookieCheck() && $this->getShare()->isPasswordProtected()) {
throw new PreconditionFailed('Strict cookie check failed');
}

Expand Down Expand Up @@ -142,7 +142,7 @@ private function checkToken(): array {
}

// If the share is protected but user is not authenticated
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
$this->throttler->registerAttempt(self::BRUTEFORCE_ACTION, $this->request->getRemoteAddress());
throw new NotAuthenticated();
}
Expand Down Expand Up @@ -176,7 +176,7 @@ protected function validateUserPass($username, $password) {
\OC_User::setIncognitoMode(true);

// check if the share is password protected
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
if ($share->getShareType() === IShare::TYPE_LINK
|| $share->getShareType() === IShare::TYPE_EMAIL
|| $share->getShareType() === IShare::TYPE_CIRCLE) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -98,8 +98,7 @@ public function createFederatedShare($shareWith, $token, $password = '') {
$authenticated = in_array($share->getId(), $allowedShareIds)
|| $this->shareManager->checkPassword($share, $password);

$storedPassword = $share->getPassword();
if (!empty($storedPassword) && !$authenticated) {
if ($share->isPasswordProtected() && !$authenticated) {
$response = new JSONResponse(
['message' => 'No permission to access the share'],
Http::STATUS_BAD_REQUEST
Expand Down
11 changes: 11 additions & 0 deletions apps/files_sharing/appinfo/routes.php
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,17 @@
'url' => '/shareinfo',
'verb' => 'POST',
],
[
'name' => 'ShareOTP#request',
'url' => '/s/{token}/requestotp',
'verb' => 'GET',
'root' => '',
],
[
'name' => 'ShareOTP#listProviders',
'url' => '/otp-providers',
'verb' => 'GET',
],
[
'name' => 'Settings#setDefaultAccept',
'url' => '/settings/defaultAccept',
Expand Down
2 changes: 2 additions & 0 deletions apps/files_sharing/composer/composer/autoload_classmap.php
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@
'OCA\\Files_Sharing\\Controller\\ShareController' => $baseDir . '/../lib/Controller/ShareController.php',
'OCA\\Files_Sharing\\Controller\\ShareInfoController' => $baseDir . '/../lib/Controller/ShareInfoController.php',
'OCA\\Files_Sharing\\Controller\\ShareesAPIController' => $baseDir . '/../lib/Controller/ShareesAPIController.php',
'OCA\\Files_Sharing\\Controller\\ShareOTPController' => $baseDir . '/../lib/Controller/ShareOTPController.php',
'OCA\\Files_Sharing\\DefaultPublicShareTemplateProvider' => $baseDir . '/../lib/DefaultPublicShareTemplateProvider.php',
'OCA\\Files_Sharing\\DeleteOrphanedSharesJob' => $baseDir . '/../lib/DeleteOrphanedSharesJob.php',
'OCA\\Files_Sharing\\Event\\BeforeTemplateRenderedEvent' => $baseDir . '/../lib/Event/BeforeTemplateRenderedEvent.php',
Expand Down Expand Up @@ -91,6 +92,7 @@
'OCA\\Files_Sharing\\Migration\\Version33000Date20251030081948' => $baseDir . '/../lib/Migration/Version33000Date20251030081948.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306120000' => $baseDir . '/../lib/Migration/Version33000Date20260306120000.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306150000' => $baseDir . '/../lib/Migration/Version33000Date20260306150000.php',
'OCA\\Files_Sharing\\Migration\\Version35000Date20260624183500' => $baseDir . '/../lib/Migration/Version35000Date20260624183500.php',
'OCA\\Files_Sharing\\MountProvider' => $baseDir . '/../lib/MountProvider.php',
'OCA\\Files_Sharing\\Notification\\Listener' => $baseDir . '/../lib/Notification/Listener.php',
'OCA\\Files_Sharing\\Notification\\Notifier' => $baseDir . '/../lib/Notification/Notifier.php',
Expand Down
2 changes: 2 additions & 0 deletions apps/files_sharing/composer/composer/autoload_static.php
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ class ComposerStaticInitFiles_Sharing
'OCA\\Files_Sharing\\Controller\\ShareController' => __DIR__ . '/..' . '/../lib/Controller/ShareController.php',
'OCA\\Files_Sharing\\Controller\\ShareInfoController' => __DIR__ . '/..' . '/../lib/Controller/ShareInfoController.php',
'OCA\\Files_Sharing\\Controller\\ShareesAPIController' => __DIR__ . '/..' . '/../lib/Controller/ShareesAPIController.php',
'OCA\\Files_Sharing\\Controller\\ShareOTPController' => __DIR__ . '/..' . '/../lib/Controller/ShareOTPController.php',
'OCA\\Files_Sharing\\DefaultPublicShareTemplateProvider' => __DIR__ . '/..' . '/../lib/DefaultPublicShareTemplateProvider.php',
'OCA\\Files_Sharing\\DeleteOrphanedSharesJob' => __DIR__ . '/..' . '/../lib/DeleteOrphanedSharesJob.php',
'OCA\\Files_Sharing\\Event\\BeforeTemplateRenderedEvent' => __DIR__ . '/..' . '/../lib/Event/BeforeTemplateRenderedEvent.php',
Expand Down Expand Up @@ -106,6 +107,7 @@ class ComposerStaticInitFiles_Sharing
'OCA\\Files_Sharing\\Migration\\Version33000Date20251030081948' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20251030081948.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306120000' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20260306120000.php',
'OCA\\Files_Sharing\\Migration\\Version33000Date20260306150000' => __DIR__ . '/..' . '/../lib/Migration/Version33000Date20260306150000.php',
'OCA\\Files_Sharing\\Migration\\Version35000Date20260624183500' => __DIR__ . '/..' . '/../lib/Migration/Version35000Date20260624183500.php',
'OCA\\Files_Sharing\\MountProvider' => __DIR__ . '/..' . '/../lib/MountProvider.php',
'OCA\\Files_Sharing\\Notification\\Listener' => __DIR__ . '/..' . '/../lib/Notification/Listener.php',
'OCA\\Files_Sharing\\Notification\\Notifier' => __DIR__ . '/..' . '/../lib/Notification/Notifier.php',
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ public function isValidToken(): bool {

#[\Override]
protected function isPasswordProtected(): bool {
return $this->share->getPassword() !== null;
return $this->share->isPasswordProtected();
}

/**
Expand Down Expand Up @@ -181,7 +181,7 @@ public function directLink(string $token) {
}

// Password protected shares have no direct link!
if ($share->getPassword() !== null) {
if ($share->isPasswordProtected()) {
return new DataResponse([], Http::STATUS_FORBIDDEN);
}

Expand Down
98 changes: 89 additions & 9 deletions apps/files_sharing/lib/Controller/ShareAPIController.php
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,9 @@
use OCP\Lock\LockedException;
use OCP\Mail\IEmailValidator;
use OCP\Mail\IMailer;
use OCP\OneTimePassword\Exceptions\OTPProviderNotFoundException;
use OCP\OneTimePassword\IManager as IOTPManager;
use OCP\Security\ISecureRandom;
use OCP\Server;
use OCP\Share\Exceptions\GenericShareException;
use OCP\Share\Exceptions\ShareNotFound;
Expand Down Expand Up @@ -91,6 +94,7 @@ public function __construct(
string $appName,
IRequest $request,
private IManager $shareManager,
private IOTPManager $otpManager,
private IGroupManager $groupManager,
private IUserManager $userManager,
private IRootFolder $rootFolder,
Expand All @@ -109,6 +113,7 @@ public function __construct(
private ITagManager $tagManager,
private IEmailValidator $emailValidator,
private ?TrustedServers $trustedServers,
protected ISecureRandom $secureRandom,
private ?string $userId = null,
) {
parent::__construct($appName, $request);
Expand Down Expand Up @@ -342,6 +347,9 @@ protected function formatShare(IShare $share, ?Node $recipientNode = null): arra
}
}

$result['otp_provider'] = $share->getOneTimePassword()?->getProviderId();
$result['otp_recipient'] = $share->getOneTimePassword()?->getRecipient();

$result['mail_send'] = $share->getMailSend() ? 1 : 0;
$result['hide_download'] = $share->getHideDownload() ? 1 : 0;

Expand Down Expand Up @@ -583,9 +591,11 @@ public function deleteShare(string $id): DataResponse {
* @param string $label Label for the share (only used in link and email)
* @param string|null $attributes Additional attributes for the share
* @param 'false'|'true'|null $sendMail Send a mail to the recipient
* @param ?string $otpProvider The id of an otp provider (e.g. 'email')
* @param ?string $otpRecipient The identifier of an OTP recipient (e.g. an email address)
*
* @return DataResponse<Http::STATUS_OK, Files_SharingShare, array{}>
* @throws OCSBadRequestException Unknown share type
* @throws OCSBadRequestException Unknown share type or invalid combination of arguments
* @throws OCSException
* @throws OCSForbiddenException Creating the share is not allowed
* @throws OCSNotFoundException Creating the share failed
Expand All @@ -608,7 +618,16 @@ public function createShare(
string $label = '',
?string $attributes = null,
?string $sendMail = null,
?string $otpProvider = null,
?string $otpRecipient = null,
): DataResponse {
if ($otpProvider === '') {
$otpProvider = null;
}
if ($otpRecipient === '') {
$otpRecipient = null;
}

assert($this->userId !== null);

$share = $this->shareManager->newShare();
Expand Down Expand Up @@ -736,11 +755,29 @@ public function createShare(
throw new OCSNotFoundException($this->l->t('Public link sharing is disabled by the administrator'));
}

$this->validateLinkSharePermissions($node, $permissions, $hasPublicUpload);
$this->validateLinkSharePermissions($node, $permissions, $hasPublicUpload, $otpRecipient !== null);
$share->setPermissions($permissions);

// Set password
if ($password !== '') {
if ($otpRecipient !== null && $otpRecipient !== '') {
if ($otpProvider === null || $otpProvider === '') {
throw new OCSBadRequestException($this->l->t('otpProvider must not be null if otpRecipient is given'));
}
if ($password !== '') {
throw new OCSBadRequestException($this->l->t('otpRecipient and password are mutually exclusive (but both were given)'));
}
try {
$otp = $this->otpManager->createOTP($otpProvider, $otpRecipient);
} catch (OTPProviderNotFoundException $e) {
$this->logger->warning('Could not update share', ['exception' => $e]);
throw new OCSBadRequestException($this->l->t('No OTP provider found for id {provider}', ['provider' => $otpProvider]));
}
$share->setOneTimePassword($otp);

// When using OTPs we still use the password internally to
// store it in the session after successful authentication
$password = $this->secureRandom->generate(32);
$share->setPassword($password);
} elseif ($password !== '') {
$share->setPassword($password);
}

Expand Down Expand Up @@ -1246,6 +1283,8 @@ private function hasPermission(int $permissionsSet, int $permissionsToCheck): bo
* You will have to use the sendMail action to send the mail.
* @param string|null $shareWith New recipient for email shares
* @param string|null $token New token
* @param ?string $otpProvider The id of an otp provider (e.g. 'email')
* @param ?string $otpRecipient The identifier of an OTP recipient (e.g. an email address)
* @return DataResponse<Http::STATUS_OK, Files_SharingShare, array{}>
* @throws OCSBadRequestException Share could not be updated because the requested changes are invalid
* @throws OCSForbiddenException Missing permissions to update the share
Expand All @@ -1267,6 +1306,8 @@ public function updateShare(
?string $attributes = null,
?string $sendMail = null,
?string $token = null,
?string $otpProvider = null,
?string $otpRecipient = null,
): DataResponse {
try {
$share = $this->getShareById($id);
Expand Down Expand Up @@ -1335,9 +1376,45 @@ public function updateShare(
$share->setPermissions($permissions);
}

$passwordParamSent = $password !== null;
if ($passwordParamSent) {
if ($password === '') {
// Reset otp and password if we used an otp previously and don't do anymore
if ($otpProvider === '' && $share->getOneTimePassword() !== null) {
$share->setOneTimePassword(null);
$share->setPassword(null);
$otpProvider = null;
$otpRecipient = null;
}

if ($otpRecipient !== null) {
$clearOTP = $otpRecipient === '';
if (!$clearOTP) {
if ($otpProvider === null || $otpProvider === '') {
throw new OCSBadRequestException($this->l->t('otpProvider must not be empty if otpRecipient is given'));
}
if ($password !== '' && $password !== null) {
throw new OCSBadRequestException($this->l->t('otpRecipient and password are mutually exclusive (but both were given)'));
}
}
$origOTP = $share->getOneTimePassword();
if ($origOTP?->getProviderId() !== $otpProvider || $origOTP?->getRecipient() !== $otpRecipient) {
try {
$otp = $this->otpManager->createOTP($otpProvider, $otpRecipient);
} catch (OTPProviderNotFoundException $e) {
$this->logger->warning('Could not update share', ['exception' => $e]);
throw new OCSBadRequestException($this->l->t('No OTP provider found for id {provider}', ['provider' => $otpProvider]));
}
$share->setOneTimePassword($otp);

// When using OTPs we still use the password internally to
// store it in the session after successful authentication
$password = $this->secureRandom->generate(32);
$share->setPassword($password);
}
} elseif ($password !== null) {
if ($share->getOneTimePassword() !== null) {
$deleteOtpId = $share->getOneTimePassword()->getId();
$share->setOneTimePassword(null);
}
if ($password === '' && $share->getOneTimePassword() !== null) {
$share->setPassword(null);
} else {
$share->setPassword($password);
Expand Down Expand Up @@ -2178,11 +2255,14 @@ public function sendShareEmail(string $id, $password = ''): DataResponse {
// the password clear, it is just a temporary
// object manipulation. The password will stay
// encrypted in the database.
if ($share->getPassword() !== null && $share->getPassword() !== $password) {
if (($share->getPassword() !== null && $share->getPassword() !== $password) || ($share->getOneTimePassword() !== null)) {
if (!$this->shareManager->checkPassword($share, $password)) {
throw new OCSBadRequestException($this->l->t('Wrong password'));
}
$share = $share->setPassword($password);
$share->setPassword($password);
if ($password !== null && $password !== '') {
$share->setOneTimePassword(null);
}
}

$provider->sendMailNotification($share);
Expand Down
Loading