From 0f783c5997fa6a225be6ff521a08f8f215d65589 Mon Sep 17 00:00:00 2001 From: Yannick Marcon Date: Wed, 4 Dec 2024 08:49:26 +0100 Subject: [PATCH] fix: included only readable files when folder content is listed recursively --- .../org/obiba/opal/web/FilesResource.java | 4 +-- .../opal/fs/security/SecuredFileObject.java | 25 ++++++++----------- 2 files changed, 13 insertions(+), 16 deletions(-) diff --git a/opal-core-ws/src/main/java/org/obiba/opal/web/FilesResource.java b/opal-core-ws/src/main/java/org/obiba/opal/web/FilesResource.java index 7ce1fffabc..ca673ddf4e 100644 --- a/opal-core-ws/src/main/java/org/obiba/opal/web/FilesResource.java +++ b/opal-core-ws/src/main/java/org/obiba/opal/web/FilesResource.java @@ -151,8 +151,8 @@ public Response updateFile(@PathParam("path") String destinationPath, return Response.status(Status.BAD_REQUEST).entity("Source file is missing").build(); // filter actions: copy, move - if ("move".equals(action.toLowerCase())) return moveTo(destinationFile, sourcesPath); - if ("copy".equals(action.toLowerCase())) return copyFrom(destinationFile, sourcesPath); + if ("move".equalsIgnoreCase(action)) return moveTo(destinationFile, sourcesPath); + if ("copy".equalsIgnoreCase(action)) return copyFrom(destinationFile, sourcesPath); return Response.status(Status.BAD_REQUEST).entity("Unexpected file action: " + action).build(); } diff --git a/opal-fs/src/main/java/org/obiba/opal/fs/security/SecuredFileObject.java b/opal-fs/src/main/java/org/obiba/opal/fs/security/SecuredFileObject.java index c2578e6a1a..0d24bf7e92 100644 --- a/opal-fs/src/main/java/org/obiba/opal/fs/security/SecuredFileObject.java +++ b/opal-fs/src/main/java/org/obiba/opal/fs/security/SecuredFileObject.java @@ -9,11 +9,8 @@ */ package org.obiba.opal.fs.security; -import java.util.Arrays; -import java.util.List; - +import com.google.common.collect.Lists; import jakarta.annotation.Nullable; - import org.apache.commons.vfs2.FileObject; import org.apache.commons.vfs2.FileSelector; import org.apache.commons.vfs2.FileSystemException; @@ -23,9 +20,7 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import com.google.common.base.Function; -import com.google.common.collect.Iterables; -import com.google.common.collect.Lists; +import java.util.List; class SecuredFileObject extends DecoratedFileObject { @@ -46,7 +41,9 @@ public void findFiles(FileSelector selector, boolean depthwise, List List securedSelected = Lists.newArrayList(); for (FileObject file : selected) { - securedSelected.add(new SecuredFileObject(authorizer,file)); + SecuredFileObject secured = new SecuredFileObject(authorizer, file); + if (secured.getParent() == null || secured.getParent().isReadable()) + securedSelected.add(secured); } selected.clear(); selected.addAll(securedSelected); @@ -61,7 +58,7 @@ public FileObject[] findFiles(FileSelector selector) throws FileSystemException @Override public FileObject getChild(String name) throws FileSystemException { FileObject child = super.getChild(name); - if(child == null) return null; + if (child == null) return null; return new SecuredFileObject(authorizer, child); } @@ -98,7 +95,7 @@ public FileObject resolveFile(String path) throws FileSystemException { @Override public boolean delete() throws FileSystemException { - if(isPermitted(getDecoratedFileObject(), "DELETE")) { + if (isPermitted(getDecoratedFileObject(), "DELETE")) { return super.delete(); } throw new FileSystemException("vfs.provider.local/delete-file.error", getName()); @@ -108,8 +105,8 @@ public boolean delete() throws FileSystemException { public void moveTo(FileObject destFile) throws FileSystemException { FileObject sourceFile = getDecoratedFileObject(); - if(isPermitted(sourceFile, "DELETE")) { - if(!(destFile instanceof SecuredFileObject)) { + if (isPermitted(sourceFile, "DELETE")) { + if (!(destFile instanceof SecuredFileObject)) { super.moveTo(destFile); return; } @@ -122,10 +119,10 @@ public void moveTo(FileObject destFile) throws FileSystemException { @Nullable private FileObject[] toSecuredFileObjects(FileObject... children) { - if(children == null) return null; + if (children == null) return null; FileObject[] secured = new FileObject[children.length]; - for (int i=0; i