fixup! fix(SecureView): hide disfunctional *download* files action

Author: blizzz

lib/DAV/SecureViewPlugin.php

@@ -9,16 +9,13 @@
 
 use OCA\DAV\Connector\Sabre\FilesPlugin;
 use OCA\DAV\Connector\Sabre\Node;
-use OCA\Richdocuments\AppConfig;
 use OCA\Richdocuments\Middleware\WOPIMiddleware;
-use OCA\Richdocuments\PermissionManager;
+use OCA\Richdocuments\Service\SecureViewService;
 use OCA\Richdocuments\Storage\SecureViewWrapper;
 use OCP\Files\ForbiddenException;
 use OCP\Files\NotFoundException;
-use OCP\Files\Storage\ISharedStorage;
-use OCP\Files\Storage\IStorage;
+use OCP\Files\StorageNotAvailableException;
 use OCP\IAppConfig;
-use OCP\IUserSession;
 use Sabre\DAV\INode;
 use Sabre\DAV\PropFind;
 use Sabre\DAV\Server;
@@ -27,14 +24,13 @@
 class SecureViewPlugin extends ServerPlugin {
 	public function __construct(
 		protected WOPIMiddleware $wopiMiddleware,
-		protected IUserSession $userSession,
-		protected PermissionManager $permissionManager,
 		protected IAppConfig $appConfig,
+		protected SecureViewService $secureViewService,
 	) {
 	}
 
 	public function initialize(Server $server) {
-		if ($this->appConfig->getValueString(AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_enabled', 'no') === 'no') {
+		if (!$this->secureViewService->isEnabled()) {
 			return;
 		}
 		$server->on('propFind', $this->handleGetProperties(...));
@@ -64,49 +60,19 @@ private function handleGetProperties(PropFind $propFind, INode $node): void {
 	}
 
 	private function isDownloadable(\OCP\Files\Node $node): bool {
-		try {
-			$this->checkFileAccess($node->getInternalPath(), $node->getStorage());
+		$storage = $node->getStorage();
+		if ($this->wopiMiddleware->isWOPIRequest()
+			|| $storage === null
+			|| !$storage->instanceOfStorage(SecureViewWrapper::class)
+		) {
 			return true;
-		} catch (ForbiddenException) {
-			return false;
-		}
-	}
-
-	private function checkFileAccess(string $path, IStorage $storage): void {
-		if ($this->wopiMiddleware->isWOPIRequest() || !$storage->instanceOfStorage(SecureViewWrapper::class)) {
-			return;
-		}
-
-		if ($this->shouldSecure($path, $storage)) {
-			throw new ForbiddenException('Download blocked due the secure view policy', false);
-		}
-	}
-
-	// FIXME: remove duplication by moving into a SecureViewService
-	private function shouldSecure(string $path, ?IStorage $sourceStorage = null): bool {
-		if ($sourceStorage !== $this && $sourceStorage !== null) {
-			$fp = $sourceStorage->fopen($path, 'r');
-			fclose($fp);
 		}
 
-		$storage = $sourceStorage ?? $this;
-		$cacheEntry = $storage->getCache()->get($path);
-		if (!$cacheEntry) {
-			$parent = dirname($path);
-			if ($parent === '.') {
-				$parent = '';
-			}
-			$cacheEntry = $storage->getCache()->get($parent);
-			if (!$cacheEntry) {
-				throw new NotFoundException(sprintf('Could not find cache entry for path and parent of %s within storage %s ', $path, $storage->getId()));
-			}
+		try {
+			return !$this->secureViewService->shouldSecure($node->getInternalPath(), $storage);
+		} catch (StorageNotAvailableException|ForbiddenException|NotFoundException $e) {
+			// Exceptions cannot be nicely inferred.
+			return false;
 		}
-
-		$isSharedStorage = $storage->instanceOfStorage(ISharedStorage::class);
-
-		$share = $isSharedStorage ? $storage->getShare() : null;
-		$userId = $this->userSession->getUser()?->getUID();
-
-		return $this->permissionManager->shouldWatermark($cacheEntry, $userId, $share, $storage->getOwner($path) ?: null);
 	}
 }

lib/Listener/AddSabrePluginListener.php

@@ -14,6 +14,7 @@
 use OCP\EventDispatcher\IEventListener;
 use Psr\Container\ContainerInterface;
 
+/** @template-implements IEventListener<SabrePluginAddEvent|BeforeSabrePubliclyLoadedEvent> */
 class AddSabrePluginListener implements IEventListener {
 
 	public function __construct(

lib/Service/SecureViewService.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+/**
+ * SPDX-FileCopyrightText: 2025 Nextcloud GmbH and Nextcloud contributors
+ * SPDX-License-Identifier: AGPL-3.0-or-later
+ */
+namespace OCA\Richdocuments\Service;
+
+use OC\Files\Storage\Wrapper\Wrapper;
+use OCA\Richdocuments\AppConfig;
+use OCA\Richdocuments\PermissionManager;
+use OCP\Files\NotFoundException;
+use OCP\Files\Storage\ISharedStorage;
+use OCP\Files\Storage\IStorage;
+use OCP\IAppConfig;
+use OCP\IUserSession;
+
+class SecureViewService {
+	public function __construct(
+		protected IUserSession $userSession,
+		protected PermissionManager $permissionManager,
+		protected IAppConfig $appConfig,
+	) {
+	}
+
+	public function isEnabled(): bool {
+		return $this->appConfig->getValueString(AppConfig::WATERMARK_APP_NAMESPACE, 'watermark_enabled', 'no') !== 'no';
+	}
+
+	public function shouldSecure(string $path, IStorage|Wrapper $storage, bool $tryOpen = true): bool {
+		if ($tryOpen) {
+			$fp = $storage->fopen($path, 'r');
+			fclose($fp);
+		}
+
+		$cacheEntry = $storage->getCache()->get($path);
+		if (!$cacheEntry) {
+			$parent = dirname($path);
+			if ($parent === '.') {
+				$parent = '';
+			}
+			$cacheEntry = $storage->getCache()->get($parent);
+			if (!$cacheEntry) {
+				throw new NotFoundException(sprintf('Could not find cache entry for path and parent of %s within storage %s ', $path, $storage->getId()));
+			}
+		}
+
+		$isSharedStorage = $storage->instanceOfStorage(ISharedStorage::class);
+		/** @noinspection PhpPossiblePolymorphicInvocationInspection */
+		/** @psalm-suppress UndefinedMethod **/
+		$share = $isSharedStorage ? $storage->getShare() : null;
+		$userId = $this->userSession->getUser()?->getUID();
+
+		return $this->permissionManager->shouldWatermark($cacheEntry, $userId, $share, $storage->getOwner($path) ?: null);
+	}
+}

lib/Storage/SecureViewWrapper.php

@@ -11,10 +11,9 @@
 use OC\Files\Storage\Wrapper\Wrapper;
 use OCA\Richdocuments\Middleware\WOPIMiddleware;
 use OCA\Richdocuments\PermissionManager;
+use OCA\Richdocuments\Service\SecureViewService;
 use OCP\Files\ForbiddenException;
 use OCP\Files\IRootFolder;
-use OCP\Files\NotFoundException;
-use OCP\Files\Storage\ISharedStorage;
 use OCP\Files\Storage\IStorage;
 use OCP\IUserSession;
 use OCP\Server;
@@ -24,6 +23,7 @@ class SecureViewWrapper extends Wrapper {
 	private WOPIMiddleware $wopiMiddleware;
 	private IRootFolder $rootFolder;
 	private IUserSession $userSession;
+	private SecureViewService $secureViewService;
 
 	private string $mountPoint;
 
@@ -34,6 +34,7 @@ public function __construct(array $parameters) {
 		$this->wopiMiddleware = Server::get(WOPIMiddleware::class);
 		$this->rootFolder = Server::get(IRootFolder::class);
 		$this->userSession = Server::get(IUserSession::class);
+		$this->secureViewService = Server::get(SecureViewService::class);
 
 		$this->mountPoint = $parameters['mountPoint'];
 	}
@@ -78,41 +79,15 @@ public function rename(string $source, string $target): bool {
 	 * @throws ForbiddenException
 	 */
 	private function checkFileAccess(string $path): void {
-		if ($this->shouldSecure($path) && !$this->wopiMiddleware->isWOPIRequest()) {
+		if (!$this->wopiMiddleware->isWOPIRequest() && $this->secureViewService->shouldSecure($path, $this, false)) {
 			throw new ForbiddenException('Download blocked due the secure view policy', false);
 		}
 	}
 
-	private function shouldSecure(string $path, ?IStorage $sourceStorage = null): bool {
-		if ($sourceStorage !== $this && $sourceStorage !== null) {
-			$fp = $sourceStorage->fopen($path, 'r');
-			fclose($fp);
-		}
-
-		$storage = $sourceStorage ?? $this;
-		$cacheEntry = $storage->getCache()->get($path);
-		if (!$cacheEntry) {
-			$parent = dirname($path);
-			if ($parent === '.') {
-				$parent = '';
-			}
-			$cacheEntry = $storage->getCache()->get($parent);
-			if (!$cacheEntry) {
-				throw new NotFoundException(sprintf('Could not find cache entry for path and parent of %s within storage %s ', $path, $storage->getId()));
-			}
-		}
-
-		$isSharedStorage = $storage->instanceOfStorage(ISharedStorage::class);
-
-		$share = $isSharedStorage ? $storage->getShare() : null;
-		$userId = $this->userSession->getUser()?->getUID();
-
-		return $this->permissionManager->shouldWatermark($cacheEntry, $userId, $share, $storage->getOwner($path) ?: null);
-	}
-
-
 	private function checkSourceAndTarget(string $source, string $target, ?IStorage $sourceStorage = null): void {
-		if ($this->shouldSecure($source, $sourceStorage) && !$this->shouldSecure($target)) {
+		if ($this->secureViewService->shouldSecure($source, $sourceStorage ?? $this, $sourceStorage !== null)
+			&& !$this->secureViewService->shouldSecure($target, $this)
+		) {
 			throw new ForbiddenException('Download blocked due the secure view policy. The source requires secure view that the target cannot offer.', false);
 		}
 	}

tests/psalm-baseline.xml

@@ -8,11 +8,6 @@
       <code><![CDATA[array_key_exists($key, self::APP_SETTING_TYPES) && self::APP_SETTING_TYPES[$key] === 'array']]></code>
     </RedundantCondition>
   </file>
-  <file src="lib/AppInfo/Application.php">
-    <MissingDependency>
-      <code><![CDATA[SecureViewWrapper|IStorage]]></code>
-    </MissingDependency>
-  </file>
   <file src="lib/Command/ActivateConfig.php">
     <UndefinedClass>
       <code><![CDATA[Command]]></code>

tests/stub.phpstub

@@ -10,6 +10,18 @@ class OC_User {
 	public static function setIncognitoMode($status) {}
 }
 
+namespace OC\Files\Storage\Wrapper {
+	class Wrapper {
+		protected $storage;
+
+		public function __construct(array $parameters) {}
+		public function copy(string $source, string $target): bool {}
+		public function copyFromStorage(\OCP\Files\Storage\IStorage $sourceStorage, string $sourceInternalPath, string $targetInternalPath): bool {}
+		public function moveFromStorage(\OCP\Files\Storage\IStorage $sourceStorage, string $sourceInternalPath, string $targetInternalPath): bool {}
+		public function rename(string $source, string $target): bool {}
+	}
+}
+
 namespace OC\Hooks {
 	interface Emitter {
 		/**
@@ -32,6 +44,20 @@ namespace OC\Hooks {
 	}
 }
 
+namespace OCA\DAV\Connector\Sabre {
+	abstract class Node {
+		public function getNode(): \OCP\Files\Node;
+	}
+
+	class FilesPlugin {
+		public const SHARE_HIDE_DOWNLOAD_PROPERTYNAME = 'somePropertyName';
+	}
+}
+
+namespace OCA\DAV\Events {
+	class SabrePluginAddEvent extends \OCP\EventDispatcher\Event {}
+}
+
 namespace OCA\Federation {
 	class TrustedServers {
 		public function getServers() {
@@ -147,3 +173,30 @@ namespace OCA\Talk\Events {
 		}
 	}
 }
+
+namespace Sabre\DAV {
+	interface INode {}
+
+	class PropFind {
+		/**
+		 * @return string[]
+		 */
+		public function getRequestedProperties(): array {
+			return [];
+		}
+
+		public function get(string $key) {
+			return null;
+		}
+
+		public function set(string $key, $value) {}
+
+		public function handle(string $key, $valueOrCallable): void {}
+	}
+
+	class Server {
+		public function on(string $eventName, callable $callable): void {}
+	}
+
+    class ServerPlugin {}
+}