validate reshare attributes based on supershare

mrow4a · mrow4a · commit 1174638e1e72 · 2019-10-11T09:41:15.000+02:00
diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
@@ -322,6 +322,9 @@ protected function validatePermissions(IShare $share) {
 		/* Use share node permission as default $maxPermissions */
 		$maxPermissions = $shareNode->getPermissions();
 
+		/* Attributes default is null, as attributes are restricted only in reshare */
+		$maxAttributes = null;
+
 		/*
 		 * Quick fix for #23536
 		 * Non moveable mount points do not have update and delete permissions
@@ -352,6 +355,7 @@ protected function validatePermissions(IShare $share) {
 					'@phan-var \OCA\Files_Sharing\SharedStorage $shareFileStorage';
 					$parentShare = $shareFileStorage->getShare();
 					$maxPermissions = $parentShare->getPermissions();
+					$maxAttributes = $parentShare->getAttributes();
 				}
 			}
 		}
@@ -361,6 +365,11 @@ protected function validatePermissions(IShare $share) {
 			$message_t = $this->l->t('Cannot increase permissions of %s', [$share->getNode()->getPath()]);
 			throw new GenericShareException($message_t, $message_t, 404);
 		}
+
+		if ($maxAttributes !== null && !$this->strictSubsetOfAttributes($maxAttributes, $share->getAttributes())) {
+			$message_t = $this->l->t('Cannot set attributes of %s', [$share->getNode()->getPath()]);
+			throw new GenericShareException($message_t, $message_t, 404);
+		}
 	}
 
 	/**
@@ -1666,4 +1675,29 @@ private function isNewShare(IShare $share) {
 	private function strictSubsetOfPermissions($allowedPermissions, $newPermissions) {
 		return (($allowedPermissions | $newPermissions) === $allowedPermissions);
 	}
+
+	/**
+	 * Check $newAttributes attribute is a subset of $allowedAttributes
+	 *
+	 * @param IAttributes $allowedAttributes
+	 * @param IAttributes $newAttributes
+	 * @return boolean ,true if $allowedAttributes enabled is super set of $newAttributes enabled, else false
+	 */
+	private function strictSubsetOfAttributes($allowedAttributes, $newAttributes) {
+		if ((!$allowedAttributes || empty($allowedAttributes->toArray()))
+			&& (!$newAttributes || empty($newAttributes->toArray()))) {
+			return true;
+		}
+
+		foreach ($allowedAttributes->toArray() as $allowedAttribute) {
+			$enabled = $newAttributes->getAttribute($allowedAttribute['scope'], $allowedAttribute['key']);
+
+			if (($allowedAttribute['enabled'] === $enabled) ||
+				($allowedAttribute['enabled'] === true && $enabled === false)) {
+				// set to the same value or disabling attribute
+				return true;
+			}
+		}
+		return false;
+	}
 }
diff --git a/tests/lib/Share20/ManagerTest.php b/tests/lib/Share20/ManagerTest.php
@@ -42,6 +42,7 @@
 use OCP\Security\IHasher;
 use OCP\Security\ISecureRandom;
 use OCP\Share\Exceptions\ShareNotFound;
+use OCP\Share\IAttributes;
 use OCP\Share\IProviderFactory;
 use OCP\Share\IShare;
 use OCP\Share\IShareProvider;
@@ -3494,6 +3495,70 @@ public function testGetAllSharedWith() {
 		$this->assertSame($shares, [$share1, $share2]);
 	}
 
+	/**
+	 * @dataProvider strictSubsetOfAttributesDataProvider
+	 *
+	 * @param IAttributes $allowedAttributes
+	 * @param IAttributes $newAttributes
+	 * @param boolean $expected
+	 */
+	public function testStrictSubsetOfAttributes($allowedAttributes, $newAttributes, $expected) {
+		$this->assertEquals(
+			$expected,
+			$this->invokePrivate(
+				$this->manager,
+				'strictSubsetOfAttributes',
+				[$allowedAttributes, $newAttributes]
+			)
+		);
+	}
+
+	public function strictSubsetOfAttributesDataProvider() {
+		$providedValues = [];
+
+		// removal of attributes should result in false
+		$allowedAttributes = $this->createMock(IAttributes::class);
+		$newAttributes = $this->createMock(IAttributes::class);
+		$allowedAttributes->method('toArray')->willReturn([
+			['scope' => 'app1', 'key' => 'perm1', 'enabled' => false]
+		]);
+		$newAttributes->expects($this->at(0))
+			->method('getAttribute')->with('app1', 'perm1')->will($this->returnValue(null));
+		$providedValues[] = [$allowedAttributes, $newAttributes, false];
+
+		// increase of attributes should result in false
+		$allowedAttributes = $this->createMock(IAttributes::class);
+		$newAttributes = $this->createMock(IAttributes::class);
+		$allowedAttributes->method('toArray')->willReturn([
+			['scope' => 'app1', 'key' => 'perm1', 'enabled' => false]
+		]);
+		$newAttributes->expects($this->at(0))
+			->method('getAttribute')->with('app1', 'perm1')->will($this->returnValue(true));
+		$providedValues[] = [$allowedAttributes, $newAttributes, false];
+
+		// no change of attributes should result in true
+		$allowedAttributes = $this->createMock(IAttributes::class);
+		$newAttributes = $this->createMock(IAttributes::class);
+		$allowedAttributes->method('toArray')->willReturn([
+			['scope' => 'app1', 'key' => 'perm1', 'enabled' => true]
+		]);
+		$newAttributes->expects($this->at(0))
+			->method('getAttribute')->with('app1', 'perm1')->will($this->returnValue(true));
+		$providedValues[] = [$allowedAttributes, $newAttributes, true];
+
+		// decrease of attributes should result in true
+		$allowedAttributes = $this->createMock(IAttributes::class);
+		$newAttributes = $this->createMock(IAttributes::class);
+		$allowedAttributes->method('toArray')->willReturn([
+			['scope' => 'app1', 'key' => 'perm1', 'enabled' => true]
+		]);
+		$newAttributes->expects($this->at(0))
+			->method('getAttribute')->with('app1', 'perm1')->will($this->returnValue(false));
+		$providedValues[] = [$allowedAttributes, $newAttributes, true];
+
+		return $providedValues;
+	}
+
 	/**
 	 * @dataProvider strictSubsetOfPermissionsDataProvider
 	 *
