Merge pull request #6504 from nextcloud/backport/6487/stable27

[stable27] fix: Apply checks on shares in the middleware

lib/Middleware/SessionMiddleware.php

@@ -16,10 +16,12 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
+use OCP\Constants;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotPermittedException;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager as ShareManager;
@@ -31,6 +33,7 @@ public function __construct(
 		private IRequest $request,
 		private SessionService $sessionService,
 		private DocumentService $documentService,
+		private ISession $session,
 		private IUserSession $userSession,
 		private IRootFolder $rootFolder,
 		private ShareManager $shareManager,
@@ -125,10 +128,28 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			} catch (ShareNotFound) {
 				throw new InvalidSessionException();
 			}
+
 			// Check if shareToken has access to document
 			if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {
 				throw new InvalidSessionException();
 			}
+
+			/** @psalm-suppress RedundantConditionGivenDocblockType */
+			if ($share->getPassword() !== null) {
+				$shareId = $this->session->get('public_link_authenticated');
+				if ($share->getId() !== $shareId) {
+					throw new InvalidSessionException();
+				}
+			}
+
+			if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
+				throw new InvalidSessionException();
+			}
+
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+				throw new InvalidSessionException();
+			}
 		} else {
 			throw new InvalidSessionException();
 		}