From dc05bb09f54af87e91d2c20c128708d3ffd19327 Mon Sep 17 00:00:00 2001 From: Ashod Nakashian Date: Wed, 23 Mar 2016 21:56:06 -0400 Subject: [PATCH 1/3] wopi: CheckFileInfo handler added --- appinfo/routes.php | 1 + controller/documentcontroller.php | 32 +++++++++++++++++++++++++++++++ 2 files changed, 33 insertions(+) diff --git a/appinfo/routes.php b/appinfo/routes.php index 89f2b5d8..91044804 100644 --- a/appinfo/routes.php +++ b/appinfo/routes.php @@ -38,6 +38,7 @@ $application->registerRoutes($this, [ ['name' => 'document#localClose', 'url' => 'close/{fileId}', 'verb' => 'POST'], //documents - for WOPI access ['name' => 'document#wopiGetToken', 'url' => 'wopi/token/{fileId}', 'verb' => 'GET'], + ['name' => 'document#wopiCheckFileInfo', 'url' => 'wopi/files/{fileId}', 'verb' => 'GET'], ['name' => 'document#wopiGetFile', 'url' => 'wopi/files/{fileId}/contents', 'verb' => 'GET'], ['name' => 'document#wopiPutFile', 'url' => 'wopi/files/{fileId}/contents', 'verb' => 'POST'], //settings diff --git a/controller/documentcontroller.php b/controller/documentcontroller.php index 8a72657d..1dbf043b 100644 --- a/controller/documentcontroller.php +++ b/controller/documentcontroller.php @@ -317,6 +317,38 @@ class DocumentController extends Controller{ ); } + /** + * @NoAdminRequired + * @NoCSRFRequired + * @PublicPage + * Returns general info about a file. + */ + public function wopiCheckFileInfo($fileId){ + $token = $this->request->getParam('access_token'); + + \OC::$server->getLogger()->debug('Getting info about file {fileId} by token {token}.', [ 'app' => $this->appName, 'fileId' => $fileId, 'token' => $token ]); + + $row = new Db\Wopi(); + $row->loadBy('token', $token); + + $res = $row->getPathForToken($fileId, $token); + + $view = new \OC\Files\View('/' . $res['user'] . '/'); + $info = $view->getFileInfo($res['path']); + + \OC::$server->getLogger()->debug('File info: {info}.', [ 'app' => $this->appName, 'info' => $info ]); + + $baseFileName = $info['name']; + $size = $info['size']; + + return array( + 'BaseFileName' => $baseFileName, + 'Size' => $size, + //'DownloadUrl' => '', + //'FileUrl' => '', + ); + } + /** * @NoAdminRequired * @NoCSRFRequired From 1a737b4f073caa3024284f3c650e897ed0139e6c Mon Sep 17 00:00:00 2001 From: Ashod Nakashian Date: Wed, 23 Mar 2016 21:56:39 -0400 Subject: [PATCH 2/3] wopi: pass the url wopi without /contents, to make it more flexible --- js/documents.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/js/documents.js b/js/documents.js index 0af15cf4..42bcec75 100644 --- a/js/documents.js +++ b/js/documents.js @@ -192,7 +192,7 @@ var documentsMain = { } var urlsrc = $('li[data-id='+ documentsMain.fileId +']>a').attr('urlsrc'); - var url = OC.generateUrl('apps/richdocuments/wopi/files/{file_id}/contents?access_token={token}', + var url = OC.generateUrl('apps/richdocuments/wopi/files/{file_id}?access_token={token}', {file_id: documentsMain.fileId, token: encodeURIComponent(result.token)}); documentsMain.url = window.location.protocol + '//' + window.location.host + url; From 38c1b87435f1562180af449a06da8c85a6e7c080 Mon Sep 17 00:00:00 2001 From: Ashod Nakashian Date: Wed, 23 Mar 2016 21:57:22 -0400 Subject: [PATCH 3/3] wopi: support for file sharing and authentication --- controller/documentcontroller.php | 5 +++++ lib/db/wopi.php | 29 ++++++++++++++++++++++++++--- 2 files changed, 31 insertions(+), 3 deletions(-) diff --git a/controller/documentcontroller.php b/controller/documentcontroller.php index 1dbf043b..0758f511 100644 --- a/controller/documentcontroller.php +++ b/controller/documentcontroller.php @@ -301,6 +301,7 @@ class DocumentController extends Controller{ } /** + * @NoAdminRequired * Generates and returns an access token for a given fileId. * Only for authenticated users! */ @@ -332,6 +333,10 @@ class DocumentController extends Controller{ $row->loadBy('token', $token); $res = $row->getPathForToken($fileId, $token); + if ($res == false || http_response_code() != 200) + { + return false; + } $view = new \OC\Files\View('/' . $res['user'] . '/'); $info = $view->getFileInfo($res['path']); diff --git a/lib/db/wopi.php b/lib/db/wopi.php index 306204d3..7fca0bca 100644 --- a/lib/db/wopi.php +++ b/lib/db/wopi.php @@ -40,10 +40,21 @@ class Wopi extends \OCA\Richdocuments\Db{ * Returns the token. */ public function generateFileToken($fileId){ - $user = \OC_User::getUser(); - $view = new \OC\Files\View('/' . $user . '/'); + + // Get the FS view of the current user. + $view = \OC\Files\Filesystem::getView(); + // Get the virtual path (if the file is shared). $path = $view->getPath($fileId); + if (!$view->is_file($path) || !$view->isUpdatable($path)) { + throw new \Exception('Invalid fileId.'); + } + // Figure out the real owner, if not us. + $user = $view->getOwner($path); + // Create a view into the owner's FS. + $view = new \OC\Files\View('/' . $user . '/'); + // Find the real path. + $path = $view->getPath($fileId); if (!$view->is_file($path)) { throw new \Exception('Invalid fileId.'); } @@ -80,13 +91,25 @@ class Wopi extends \OCA\Richdocuments\Db{ $wopi = new Wopi(); $row = $wopi->loadBy('token', $token)->getData(); \OC::$server->getLogger()->debug('Loaded WOPI Token record: {row}.', [ 'row' => $row ]); + if (count($row) == 0) + { + // Invalid token. + http_response_code(401); + return false; + } //TODO: validate. - if ($row['expiry'] > time() || $row['fileid'] !== $fileId){ + if ($row['expiry'] > time()){ // Expired token! + //http_response_code(404); //$wopi->deleteBy('id', $row['id']); //return false; } + if ($row['fileid'] !== $fileId){ + // File unknown / user unauthorized (for the requested file). + http_response_code(404); + return false; + } $user = $row['uid']; $view = new \OC\Files\View('/' . $user . '/');