From 3919a3ec70d943256f8125b99d10ba8136c2e22f Mon Sep 17 00:00:00 2001
From: Ralf Haferkamp <rhaferkamp@owncloud.com>
Date: Mon, 15 Apr 2024 18:04:02 +0200
Subject: [PATCH] Fix nested resource check for publicly shared space root

The 'Path' returned as part of the ResourceInfo from a Stat call might
be relative. So we need to Use 'GetPath()' to lookup the full path of
the parent. Otherwise the simple 'HasPrefix' check for whether a file a
ancestor might fail.

Co-Authored-By: Christian Richter <crichter@owncloud.com>
---
 changelog/unreleased/fix_public_share_space_root.md |  7 +++++++
 internal/grpc/interceptors/auth/scope.go            | 12 ++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 changelog/unreleased/fix_public_share_space_root.md

diff --git a/changelog/unreleased/fix_public_share_space_root.md b/changelog/unreleased/fix_public_share_space_root.md
new file mode 100644
index 0000000000..80eb228d16
--- /dev/null
+++ b/changelog/unreleased/fix_public_share_space_root.md
@@ -0,0 +1,7 @@
+Bugfix: Fix access to files withing a public link targeting a space root
+
+We fixed an issue that prevented users from opening documents within a public share
+that targets a space root.
+
+https://github.com/cs3org/reva/pull/4632/
+https://github.com/owncloud/ocis/issues/8691
diff --git a/internal/grpc/interceptors/auth/scope.go b/internal/grpc/interceptors/auth/scope.go
index 1b5edd9f20..5cb6183c61 100644
--- a/internal/grpc/interceptors/auth/scope.go
+++ b/internal/grpc/interceptors/auth/scope.go
@@ -264,7 +264,15 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
 	if statResponse.Status.Code != rpc.Code_CODE_OK {
 		return false, statuspkg.NewErrorFromCode(statResponse.Status.Code, "auth interceptor")
 	}
-	parentPath := statResponse.Info.Path
+
+	pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: statResponse.GetInfo().GetId()})
+	if err != nil {
+		return false, err
+	}
+	if pathResp.Status.Code != rpc.Code_CODE_OK {
+		return false, statuspkg.NewErrorFromCode(pathResp.Status.Code, "auth interceptor")
+	}
+	parentPath := pathResp.Path
 
 	childPath := ref.GetPath()
 	if childPath != "" && childPath != "." && strings.HasPrefix(childPath, parentPath) {
@@ -308,7 +316,7 @@ func checkIfNestedResource(ctx context.Context, ref *provider.Reference, parent
 	if childStat.Status.Code != rpc.Code_CODE_OK {
 		return false, statuspkg.NewErrorFromCode(childStat.Status.Code, "auth interceptor")
 	}
-	pathResp, err := client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()})
+	pathResp, err = client.GetPath(ctx, &provider.GetPathRequest{ResourceId: childStat.GetInfo().GetId()})
 	if err != nil {
 		return false, err
 	}