fix: Hide download action when file does not provide download permiss…

…ions

This is not only a possibility for public shares but also for internal shares,

the current code only "checked" public shares.

This adds the same logic we use in the files app. Probably something to move to

`@nextcloud/sharing` but for the moment lets just reuse here.

Signed-off-by: Ferdinand Thiessen <[email protected]>

[skip ci]

cypress/e2e/download-forbidden.cy.ts

@@ -0,0 +1,67 @@
+/**
+ * SPDX-License: AGPL-3.0-or-later
+ * SPDX-: Nextcloud GmbH and Nextcloud contributors
+ */
+
+import type { User } from '@nextcloud/cypress'
+import { ShareType } from '@nextcloud/sharing'
+
+describe('Disable download button if forbidden', { testIsolation: true }, () => {
+	let sharee: User
+
+	before(() => {
+		cy.createRandomUser().then((user) => { sharee = user })
+		cy.createRandomUser().then((user) => {
+			// Upload test files
+			cy.createFolder(user, '/Photos')
+			cy.uploadFile(user, 'image1.jpg', 'image/jpeg', '/Photos/image1.jpg')
+
+			cy.login(user)
+			cy.createShare('/Photos',
+				{ shareWith: sharee.userId, shareType: ShareType.User, attributes: [{ scope: 'permissions', key: 'download', value: false }] },
+			)
+			cy.logout()
+		})
+	})
+
+	beforeEach(() => {
+		cy.login(sharee)
+		cy.visit('/apps/files')
+		cy.openFile('Photos')
+	})
+
+	it('See the shared folder and images in files list', () => {
+		cy.getFile('image1.jpg', { timeout: 10000 })
+			.should('contain', 'image1 .jpg')
+	})
+
+	// TODO: Fix no-download files on server
+	it.skip('See the image can be shown', () => {
+		cy.getFile('image1.jpg').should('be.visible')
+		cy.openFile('image1.jpg')
+		cy.get('body > .viewer').should('be.visible')
+
+		cy.get('body > .viewer', { timeout: 10000 })
+			.should('be.visible')
+			.and('have.class', 'modal-mask')
+			.and('not.have.class', 'icon-loading')
+	})
+
+	it('See the title on the viewer header but not the Download nor the menu button', () => {
+		cy.getFile('image1.jpg').should('be.visible')
+		cy.openFile('image1.jpg')
+		cy.get('body > .viewer .modal-header__name').should('contain', 'image1.jpg')
+
+		cy.get('[role="dialog"]')
+			.should('be.visible')
+			.find('button[aria-label="Actions"]')
+			.click()
+
+		cy.get('[role="menu"]:visible')
+			.find('button')
+			.should('have.length', 2)
+			.each(($el) => {
+				expect($el.text()).to.match(/(Full screen|Open sidebar)/i)
+			})
+	})
+})

cypress/support/commands.ts

@@ -20,10 +20,11 @@
  *
  */
 
-import { addCommands, User } from '@nextcloud/cypress'
-import { basename } from 'path'
-import axios from '@nextcloud/axios'
+import { addCommands } from '@nextcloud/cypress'
+import { Permission } from '@nextcloud/files'
+import { ShareType } from '@nextcloud/sharing'
 import { addCompareSnapshotCommand } from 'cypress-visual-regression/dist/command'
+import { basename } from 'path'
 
 addCommands()
 addCompareSnapshotCommand()
@@ -125,32 +126,48 @@ Cypress.Commands.add(
 	},
 )
 
+interface ShareOptions {
+	shareType: number
+	shareWith?: string
+	permissions: number
+	attributes?: { value: boolean, key: string, scope: string}[]
+}
+
+Cypress.Commands.add('createShare', (path: string, shareOptions?: ShareOptions) => {
+	return cy.request('/csrftoken').then(({ body }) => {
+		const requesttoken = body.token
+
+		return cy.request({
+			method: 'POST',
+			url: '../ocs/v2.php/apps/files_sharing/api/v1/shares?format=json',
+			headers: {
+				requesttoken,
+			},
+			body: {
+				path,
+				permissions: Permission.READ,
+				...shareOptions,
+				attributes: shareOptions?.attributes && JSON.stringify(shareOptions.attributes),
+			},
+		}).then(({ body }) => {
+			const shareToken = body.ocs?.data?.token
+			if (shareToken === undefined) {
+				throw new Error('Invalid OCS response')
+			}
+			cy.log('Share link created', shareToken)
+			return cy.wrap(shareToken)
+		})
+	})
+})
+
 /**
  * Create a share link and return the share url
  *
  * @param {string} path the file/folder path
  * @return {string} the share link url
  */
 Cypress.Commands.add('createLinkShare', path => {
-	return cy.window().then(async window => {
-		try {
-			const request = await axios.post(`${Cypress.env('baseUrl')}/ocs/v2.php/apps/files_sharing/api/v1/shares`, {
-				path,
-				shareType: window.OC.Share.SHARE_TYPE_LINK,
-			}, {
-				headers: {
-					requesttoken: window.OC.requestToken,
-				},
-			})
-			if (!('ocs' in request.data) || !('token' in request.data.ocs.data && request.data.ocs.data.token.length > 0)) {
-				throw request
-			}
-			cy.log('Share link created', request.data.ocs.data.token)
-			return cy.wrap(request.data.ocs.data.token)
-		} catch (error) {
-			console.error(error)
-		}
-	}).should('have.length', 15)
+	return cy.createShare(path, { shareType: ShareType.Link })
 })
 
 Cypress.Commands.overwrite('compareSnapshot', (originalFn, subject, name, options) => {

src/utils/canDownload.ts

@@ -0,0 +1,24 @@
+/*!
+ * SPDX-FileCopyrightText: 2024 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+
+import type { FileInfo } from './fileUtils'
+
+/**
+ * Check if download permissions are granted for a file
+ * @param fileInfo The file info to check
+ */
+export function canDownload(fileInfo: FileInfo) {
+	// TODO: This should probably be part of `@nextcloud/sharing`
+	// check share attributes
+	const shareAttributes = JSON.parse(fileInfo.shareAttributes || '[]')
+
+	if (shareAttributes && shareAttributes.length > 0) {
+		const downloadAttribute = shareAttributes.find(({ scope, key }) => scope === 'permissions' && key === 'download')
+		// We only forbid download if the attribute is *explicitly* set to 'false'
+		return downloadAttribute?.value !== false
+	}
+	// otherwise return true (as the file needs read permission otherwise we would not have opened it)
+	return true
+}

src/views/Viewer.vue

@@ -62,7 +62,6 @@
 		:spread-navigation="true"
 		:style="{ width: isSidebarShown ? `${sidebarPosition}px` : null }"
 		:name="currentFile.basename"
-		:view="currentFile.modal"
 		class="viewer"
 		size="full"
 		@close="close"
@@ -99,21 +98,24 @@
 				:close-after-click="true"
 				:href="downloadPath">
 				<template #icon>
-					<Download :size="24" />
+					<Download :size="20" />
 				</template>
 				{{ t('viewer', 'Download') }}
 			</NcActionLink>
 			<NcActionButton v-if="canDelete"
 				:close-after-click="true"
 				@click="onDelete">
 				<template #icon>
-					<Delete :size="22" />
+					<Delete :size="20" />
 				</template>
 				{{ t('viewer', 'Delete') }}
 			</NcActionButton>
 		</template>
 
-		<div class="viewer__content" :class="contentClass" @click.self.exact="close">
+		<div class="viewer__content"
+			:class="contentClass"
+			@click.self.exact="close"
+			@contextmenu="preventContextMenu">
 			<!-- COMPARE FILE -->
 			<div v-if="comparisonFile && !comparisonFile.failed && showComparison" class="viewer__file-wrapper">
 				<component :is="comparisonFile.modal"
@@ -376,12 +378,16 @@ export default {
 		},
 
 		/**
-		 * Is the current user allowed to download the file in public mode?
+		 * Is the current user allowed to download the file
 		 *
 		 * @return {boolean}
 		 */
 		canDownload() {
-			return canDownload() && !this.comparisonFile
+			// download not possible for comparison
+			if (this.comparisonFile) {
+				return false
+			}
+			return this.currentFile && canDownload(this.currentFile)
 		},
 
 		/**
@@ -392,7 +398,7 @@ export default {
 		 */
 		canEdit() {
 			return !this.isMobile
-				&& canDownload()
+				&& this.canDownload
 				&& this.currentFile?.permissions?.includes('W')
 				&& this.isImage
 				&& !this.comparisonFile
@@ -580,6 +586,17 @@ export default {
 	},
 
 	methods: {
+		/**
+		 * If there is no download permission also hide the context menu.
+		 * @param {MouseEvent} event The mouse click event
+		 */
+		preventContextMenu(event) {
+			if (this.canDownload) {
+				return
+			}
+			event.preventDefault()
+		},
+
 		async beforeOpen() {
 			// initial loading start
 			this.initiated = true