fix bug 69535

ONLYOFFICE · Aug 2, 2024 · 2595f53 · 2595f53
1 parent f9155cd
commit 2595f53
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 22 deletions.
diff --git a/common/ASC.Api.Core/Security/EmailValidationKeyModelHelper.cs b/common/ASC.Api.Core/Security/EmailValidationKeyModelHelper.cs
@@ -126,7 +126,7 @@ public async Task<ValidationResult> ValidateAsync(EmailValidationKeyModel inDto)
                 break;
 
             case ConfirmType.LinkInvite:
-                checkKeyResult = (await invitationValidator.ValidateAsync(key, email, emplType ?? default)).Status;
+                checkKeyResult = (await invitationValidator.ValidateAsync(key, email, emplType ?? default, uiD)).Status;
                 break;
 
             case ConfirmType.PortalOwnerChange:                

diff --git a/common/ASC.Api.Core/Security/InvitationValidator.cs b/common/ASC.Api.Core/Security/InvitationValidator.cs
@@ -38,16 +38,19 @@ public class InvitationValidator(
 {
     public TimeSpan IndividualLinkExpirationInterval => emailValidationKeyProvider.ValidEmailKeyInterval;
 
-    public string MakeIndividualLinkKey(Guid linkId)
+    public string MakeIndividualLinkKey(Guid linkId, Guid createBy)
     {
-        return signature.Create(linkId);
+        return signature.Create(linkId + "." + createBy);
     }
 
-    public async Task<LinkValidationResult> ValidateAsync(string key, string email, EmployeeType employeeType)
+    public async Task<LinkValidationResult> ValidateAsync(string key, string email, EmployeeType employeeType, Guid? userId = default)
     {
-        var result = new LinkValidationResult { Status = EmailValidationKeyProvider.ValidationResult.Invalid };
+        var result = new LinkValidationResult
+        {
+            Status = EmailValidationKeyProvider.ValidationResult.Invalid
+        };
 
-        var (commonWithRoomLinkResult, linkId) = ValidateCommonWithRoomLink(key);
+        var (commonWithRoomLinkResult, linkId) = ValidateCommonWithRoomLink(key, userId);
 
         if (commonWithRoomLinkResult != EmailValidationKeyProvider.ValidationResult.Invalid)
         {
@@ -58,9 +61,12 @@ public async Task<LinkValidationResult> ValidateAsync(string key, string email,
             return result;
         }
 
-        var commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(ConfirmType.LinkInvite.ToStringFast() + (int)employeeType,
-            key, emailValidationKeyProvider.ValidEmailKeyInterval);
-
+        var commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(ConfirmType.LinkInvite.ToStringFast() + (int)employeeType, key, emailValidationKeyProvider.ValidEmailKeyInterval);
+        if (commonLinkResult == EmailValidationKeyProvider.ValidationResult.Invalid && userId.HasValue)
+        {
+            commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(ConfirmType.LinkInvite.ToStringFast() + (int)employeeType + userId.Value, key, emailValidationKeyProvider.ValidEmailKeyInterval);
+        }
+
         if (commonLinkResult != EmailValidationKeyProvider.ValidationResult.Invalid)
         {
             result.Status = commonLinkResult;
@@ -70,8 +76,7 @@ public async Task<LinkValidationResult> ValidateAsync(string key, string email,
             return result;
         }
 
-        commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.EmpInvite.ToStringFast() + (int)employeeType,
-            key, emailValidationKeyProvider.ValidEmailKeyInterval);
+        commonLinkResult = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.EmpInvite.ToStringFast() + (int)employeeType, key, emailValidationKeyProvider.ValidEmailKeyInterval);
 
         if (commonLinkResult != EmailValidationKeyProvider.ValidationResult.Invalid)
         {
@@ -99,8 +104,7 @@ public async Task<LinkValidationResult> ValidateAsync(string key, string email,
 
     private async Task<(EmailValidationKeyProvider.ValidationResult, UserInfo)> ValidateIndividualLinkAsync(string email, string key, EmployeeType employeeType)
     {
-        var result = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.LinkInvite.ToStringFast() + employeeType.ToStringFast(),
-            key, IndividualLinkExpirationInterval);
+        var result = await emailValidationKeyProvider.ValidateEmailKeyAsync(email + ConfirmType.LinkInvite.ToStringFast() + employeeType.ToStringFast(), key, IndividualLinkExpirationInterval);
 
         if (result != EmailValidationKeyProvider.ValidationResult.Ok)
         {
@@ -131,10 +135,19 @@ public async Task<LinkValidationResult> ValidateAsync(string key, string email,
         return (result, user);
     }
 
-    private (EmailValidationKeyProvider.ValidationResult, Guid) ValidateCommonWithRoomLink(string key)
+    private (EmailValidationKeyProvider.ValidationResult, Guid) ValidateCommonWithRoomLink(string key,Guid? userId = null)
     {
         var linkId = signature.Read<Guid>(key);
-
+        if (linkId == default && userId.HasValue)
+        {
+            var combined = signature.Read<string>(key);
+            var split = combined.Split('.');
+            if (split.Length == 2 && Guid.TryParse(split[0], out linkId) && Guid.TryParse(split[1], out var uId) && !Equals(uId, userId.Value))
+            {
+                linkId = default;
+            }
+        }
+
         return linkId == default ? (EmailValidationKeyProvider.ValidationResult.Invalid, default) : (EmailValidationKeyProvider.ValidationResult.Ok, linkId);
     }
 

diff --git a/products/ASC.Files/Core/Core/VirtualRooms/InvitationService.cs b/products/ASC.Files/Core/Core/VirtualRooms/InvitationService.cs
@@ -47,7 +47,7 @@ public class InvitationService(
 {
     public string GetInvitationLink(Guid linkId, Guid createdBy)
     {
-        var key = invitationValidator.MakeIndividualLinkKey(linkId);
+        var key = invitationValidator.MakeIndividualLinkKey(linkId, createdBy);
         return commonLinkUtility.GetConfirmationUrl(key, ConfirmType.LinkInvite, createdBy);
     }
 
@@ -58,14 +58,14 @@ public async Task<string> GetInvitationLinkAsync(string email, FileShare share,
         return link;
     }
 
-    public async Task<Validation> ConfirmAsync(string key, string email, EmployeeType employeeType, string roomId = null)
+    public async Task<Validation> ConfirmAsync(string key, string email, EmployeeType employeeType, string roomId = null, Guid? userId = default)
     {
         if (!await iPSecurity.VerifyAsync())
         {
             throw new SecurityException();
         }
 
-        var data = await GetLinkDataAsync(key, email, employeeType);
+        var data = await GetLinkDataAsync(key, email, employeeType, userId);
         var validation = new Validation { Result = data.Result };
 
         if (data.Result is EmailValidationKeyProvider.ValidationResult.Invalid or EmailValidationKeyProvider.ValidationResult.Expired)
@@ -207,9 +207,9 @@ public async Task<InvitationLinkData> GetInvitationDataAsync(string key, string
         return data;
     }
 
-    private async Task<InvitationLinkData> GetLinkDataAsync(string key, string email, EmployeeType employeeType = EmployeeType.All)
+    private async Task<InvitationLinkData> GetLinkDataAsync(string key, string email, EmployeeType employeeType = EmployeeType.All, Guid? userId = default)
     {
-        var result = await invitationValidator.ValidateAsync(key, email, employeeType);
+        var result = await invitationValidator.ValidateAsync(key, email, employeeType, userId);
         var data = new InvitationLinkData
         {
             Result = result.Status, 

diff --git a/web/ASC.Web.Api/Api/AuthenticationController.cs b/web/ASC.Web.Api/Api/AuthenticationController.cs
@@ -350,7 +350,7 @@ public async Task<ConfirmDto> CheckConfirm(EmailValidationKeyModel inDto)
             return new ConfirmDto { Result = await emailValidationKeyModelHelper.ValidateAsync(inDto)};
         }
 
-        var result = await invitationService.ConfirmAsync(inDto.Key, inDto.Email, inDto.EmplType ?? default, inDto.RoomId);
+        var result = await invitationService.ConfirmAsync(inDto.Key, inDto.Email, inDto.EmplType ?? default, inDto.RoomId, inDto.UiD);
 
         return mapper.Map<Validation, ConfirmDto>(result);
     }

diff --git a/web/ASC.Web.Api/Api/PortalController.cs b/web/ASC.Web.Api/Api/PortalController.cs
@@ -129,7 +129,7 @@ public async Task<object> GeInviteLinkAsync(EmployeeType employeeType)
             return string.Empty;
         }
 
-        var link = await commonLinkUtility.GetConfirmationEmailUrlAsync(string.Empty, ConfirmType.LinkInvite, (int)employeeType, authContext.CurrentAccount.ID)
+        var link = await commonLinkUtility.GetConfirmationEmailUrlAsync(string.Empty, ConfirmType.LinkInvite, (int)employeeType + authContext.CurrentAccount.ID.ToString(), authContext.CurrentAccount.ID)
                 + $"&emplType={employeeType:d}";
 
         return await urlShortener.GetShortenLinkAsync(link);