fix(files): check that node is in user root folder for view-in-folder action

Signed-off-by: skjnldsv <skjnldsv@protonmail.com>
2026-06-10 17:23:59 -04:00 · 2024-11-08 09:23:12 +01:00 · 2024-11-08 09:23:12 +01:00 · 9571e34182
commit 9571e34182
parent 4a2091ecb7
2 changed files with 17 additions and 0 deletions
--- a/apps/files/src/actions/viewInFolderAction.spec.ts
+++ b/apps/files/src/actions/viewInFolderAction.spec.ts
@ -109,6 +109,18 @@ describe('View in folder action enabled tests', () => {
 		expect(action.enabled).toBeDefined()
 		expect(action.enabled!([folder], view)).toBe(false)
 	})
+
+	test('Disabled for files outside the user root folder', () => {
+		const file = new Folder({
+			id: 1,
+			source: 'https://cloud.domain.com/remote.php/dav/trashbin/admin/trash/image.jpg.d1731053878',
+			owner: 'admin',
+			permissions: Permission.READ,
+		})
+
+		expect(action.enabled).toBeDefined()
+		expect(action.enabled!([file], view)).toBe(false)
+	})
 })

 describe('View in folder action execute tests', () => {
--- a/apps/files/src/actions/viewInFolderAction.ts
+++ b/apps/files/src/actions/viewInFolderAction.ts
@ -36,6 +36,11 @@ export const action = new FileAction({
 			return false
 		}

+		// Can only view files that are in the user root folder
+		if (!node.root?.startsWith('/files')) {
+			return false
+		}
+
 		if (node.permissions === Permission.NONE) {
 			return false
 		}