fix: Apply checks on shares in the middleware

Signed-off-by: Julius Härtl <jus@bitgrid.net>
Signed-off-by: Max <max@nextcloud.com>

lib/Middleware/SessionMiddleware.php

@@ -16,10 +16,12 @@
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\Http\Response;
 use OCP\AppFramework\Middleware;
+use OCP\Constants;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotPermittedException;
 use OCP\IL10N;
 use OCP\IRequest;
+use OCP\ISession;
 use OCP\IUserSession;
 use OCP\Share\Exceptions\ShareNotFound;
 use OCP\Share\IManager as ShareManager;
@@ -31,6 +33,7 @@ public function __construct(
 		private IRequest $request,
 		private SessionService $sessionService,
 		private DocumentService $documentService,
+		private ISession $session,
 		private IUserSession $userSession,
 		private IRootFolder $rootFolder,
 		private ShareManager $shareManager,
@@ -126,8 +129,25 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			} catch (ShareNotFound) {
 				throw new InvalidSessionException();
 			}
-			// Check if shareToken has access to document
-			if (count($this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)) === 0) {
+
+			$node = $this->rootFolder->getUserFolder($share->getShareOwner())->getById($documentId)[0];
+			if ($node === null) {
+				throw new InvalidSessionException();
+			}
+
+			if ($share->getPassword() !== null) {
+				$shareId = $this->session->get('public_link_authenticated');
+				if ($share->getId() !== $shareId) {
+					throw new InvalidSessionException();
+				}
+			}
+
+			if (($share->getPermissions() & Constants::PERMISSION_READ) !== Constants::PERMISSION_READ) {
+				throw new InvalidSessionException();
+			}
+
+			$attributes = $share->getAttributes();
+			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
 				throw new InvalidSessionException();
 			}
 		} else {