Block download when needed on direct download endpoint

Signed-off-by: Vincent Petry <vincent@nextcloud.com>

apps/dav/lib/Controller/DirectController.php

@@ -31,8 +31,11 @@ use OCA\DAV\Db\DirectMapper;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\OCS\OCSBadRequestException;
 use OCP\AppFramework\OCS\OCSNotFoundException;
+use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\AppFramework\OCSController;
 use OCP\AppFramework\Utility\ITimeFactory;
+use OCP\EventDispatcher\GenericEvent;
+use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Files\File;
 use OCP\Files\IRootFolder;
 use OCP\IRequest;
@@ -59,6 +62,8 @@ class DirectController extends OCSController {
 	/** @var IURLGenerator */
 	private $urlGenerator;
 
+	/** @var IEventDispatcher */
+	private $eventDispatcher;
 
 	public function __construct(string $appName,
 								IRequest $request,
@@ -67,7 +72,8 @@ class DirectController extends OCSController {
 								DirectMapper $mapper,
 								ISecureRandom $random,
 								ITimeFactory $timeFactory,
-								IURLGenerator $urlGenerator) {
+								IURLGenerator $urlGenerator,
+								IEventDispatcher $eventDispatcher) {
 		parent::__construct($appName, $request);
 
 		$this->rootFolder = $rootFolder;
@@ -76,6 +82,7 @@ class DirectController extends OCSController {
 		$this->random = $random;
 		$this->timeFactory = $timeFactory;
 		$this->urlGenerator = $urlGenerator;
+		$this->eventDispatcher = $eventDispatcher;
 	}
 
 	/**
@@ -99,6 +106,13 @@ class DirectController extends OCSController {
 			throw new OCSBadRequestException('Direct download only works for files');
 		}
 
+		$event = new GenericEvent(null, ['path' => $userFolder->getRelativePath($file->getPath())]);
+		$this->eventDispatcher->dispatch('file.beforeGetDirect', $event);
+
+		if ($event->getArgument('run') === false) {
+			throw new OCSForbiddenException('Permission denied to download file');
+		}
+
 		//TODO: at some point we should use the directdownlaod function of storages
 		$direct = new Direct();
 		$direct->setUserId($this->userId);

apps/files_sharing/lib/AppInfo/Application.php

@@ -165,6 +165,7 @@ class Application extends App implements IBootstrap {
 			'file.beforeGetDirect',
 			function (GenericEvent $event) use ($userSession, $rootFolder) {
 				$pathsToCheck = [$event->getArgument('path')];
+				$event->setArgument('run', true);
 
 				// Check only for user/group shares. Don't restrict e.g. share links
 				if ($userSession && $userSession->isLoggedIn()) {
@@ -173,6 +174,7 @@ class Application extends App implements IBootstrap {
 						$rootFolder->getUserFolder($uid)
 					);
 					if (!$viewOnlyHandler->check($pathsToCheck)) {
+						$event->setArgument('run', false);
 						$event->setArgument('errorMessage', 'Access to this resource or one of its sub-items has been denied.');
 					}
 				}