From 719b159a44e99f23aa8d66df8186c81188c662aa Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 13 Dec 2016 11:29:36 +0100
Subject: [PATCH] v1.1.24

Signed-off-by: Lukas Reschke <lukas@statuscode.ch>
---
 CHANGELOG.md                          |  3 +++
 appinfo/info.xml                      |  2 +-
 lib/Controller/DocumentController.php | 15 +++++++++++++++
 lib/db/wopi.php                       |  1 -
 templates/documents.php               |  5 -----
 5 files changed, 19 insertions(+), 7 deletions(-)
 create mode 100644 CHANGELOG.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 00000000..b5f8415f
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,3 @@
+**1.1.24**
+- Bug: Fix undefined PHP notices
+- Security: Properly check for password on password protected shares
\ No newline at end of file
diff --git a/appinfo/info.xml b/appinfo/info.xml
index 36969f55..94ca260e 100644
--- a/appinfo/info.xml
+++ b/appinfo/info.xml
@@ -5,7 +5,7 @@
 	<description>Collabora Online allows you to to work with all kinds of office documents directly in your browser. This application requires Collabora Cloudsuite to be installed on one of your servers, please read the documentation to learn more about that.</description>
 	<summary>Edit office documents directly in your browser.</summary>
 	<licence>AGPL</licence>
-	<version>1.1.23</version>
+	<version>1.1.24</version>
 	<author>Collabora Productivity based on work of Frank Karlitschek, Victor Dubiniuk</author>
 	<bugs>https://github.com/nextcloud/richdocuments/issues</bugs>
 	<repository type="git">https://github.com/nextcloud/richdocuments.git</repository>
diff --git a/lib/Controller/DocumentController.php b/lib/Controller/DocumentController.php
index 4a93558c..4fde3599 100644
--- a/lib/Controller/DocumentController.php
+++ b/lib/Controller/DocumentController.php
@@ -26,6 +26,7 @@ use \OCP\AppFramework\Http\TemplateResponse;
 use \OCA\Richdocuments\AppConfig;
 use \OCA\Richdocuments\Helper;
 use \OC\Files\View;
+use OCP\ISession;
 use OCP\Share\IManager;
 
 class DocumentController extends Controller {
@@ -43,6 +44,8 @@ class DocumentController extends Controller {
 	private $shareManager;
 	/** @var TokenManager */
 	private $tokenManager;
+	/** @var ISession */
+	private $session;
 	/** @var IRootFolder */
 	private $rootFolder;
 
@@ -58,6 +61,7 @@ class DocumentController extends Controller {
 	 * @param IManager $shareManager
 	 * @param TokenManager $tokenManager
 	 * @param IRootFolder $rootFolder
+	 * @param ISession $session
 	 * @param string $UserId
 	 */
 	public function __construct($appName,
@@ -69,6 +73,7 @@ class DocumentController extends Controller {
 								IManager $shareManager,
 								TokenManager $tokenManager,
 								IRootFolder $rootFolder,
+								ISession $session,
 								$UserId) {
 		parent::__construct($appName, $request);
 		$this->uid = $UserId;
@@ -79,6 +84,7 @@ class DocumentController extends Controller {
 		$this->shareManager = $shareManager;
 		$this->tokenManager = $tokenManager;
 		$this->rootFolder = $rootFolder;
+		$this->session = $session;
 	}
 
 	/**
@@ -127,6 +133,15 @@ class DocumentController extends Controller {
 	public function publicPage($shareToken, $fileName) {
 		try {
 			$share = $this->shareManager->getShareByToken($shareToken);
+			// not authenticated ?
+			if($share->getPassword()){
+				if (!$this->session->exists('public_link_authenticated')
+					|| $this->session->get('public_link_authenticated') !== (string)$share->getId()
+				) {
+					throw new \Exception('Invalid password');
+				}
+			}
+
 			$node = $share->getNode();
 			if($node instanceof Folder) {
 				$item = $node->get($fileName);
diff --git a/lib/db/wopi.php b/lib/db/wopi.php
index 232a533d..d7467659 100644
--- a/lib/db/wopi.php
+++ b/lib/db/wopi.php
@@ -84,7 +84,6 @@ class Wopi extends \OCA\Richdocuments\Db{
 		return array(
 			'owner' => $row['owner_uid'],
 			'editor' => $row['editor_uid'],
-			'path' => $row['path'],
 			'canwrite' => $row['canwrite'],
 			'server_host' => $row['server_host']
 		);
diff --git a/templates/documents.php b/templates/documents.php
index f9f4d310..41e114e0 100644
--- a/templates/documents.php
+++ b/templates/documents.php
@@ -19,8 +19,3 @@ script('richdocuments', 'documents');
 		</li>
 	</ul>
 </div>
-<input type="hidden" id="wopi-url" name="wopi-url" value="<?php p($_['wopi_url']) ?>" />
-<?php if ($_['enable_previews']): ?>
-<input type="hidden" id="previews_enabled" value="<?php p($_['enable_previews']) ?>" />
-<?php endif; ?>
-<input type="hidden" name="allowShareWithLink" id="allowShareWithLink" value="<?php p($_['allowShareWithLink']) ?>" />
\ No newline at end of file