From 2b8b7c989873693ffc820e7b8bf3b26a53f3b40f Mon Sep 17 00:00:00 2001 From: MaksimChegulov Date: Fri, 17 Jun 2022 10:59:03 +0300 Subject: [PATCH] Files: added permission check for link generation --- .../Server/Api/VirtualRoomsController.cs | 21 ++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/products/ASC.Files/Server/Api/VirtualRoomsController.cs b/products/ASC.Files/Server/Api/VirtualRoomsController.cs index 3c49fdfd43..da21c4ebe5 100644 --- a/products/ASC.Files/Server/Api/VirtualRoomsController.cs +++ b/products/ASC.Files/Server/Api/VirtualRoomsController.cs @@ -167,10 +167,12 @@ public abstract class VirtualRoomsController : ApiControllerBase } [HttpGet("rooms/{id}/links")] - public object GetInvitationLink(T id, InviteLinkDto inDto) + public async Task GetInvitationLinkAsync(T id, InviteLinkDto inDto) { ErrorIfNotDocSpace(); + await ErrorIfNotEditable(id); + return _roomLinksService.GenerateLink(id, (int)inDto.Access, EmployeeType.User, _authContext.CurrentAccount.ID); } @@ -179,12 +181,7 @@ public abstract class VirtualRoomsController : ApiControllerBase { ErrorIfNotDocSpace(); - var room = await _fileStorageService.GetFolderAsync(id); - - if (!await _fileSecurity.CanEditRoomAsync(room)) - { - throw new InvalidOperationException("You don't have the rights to invite users to the room"); - } + await ErrorIfNotEditable(id); var results = new List(); @@ -300,6 +297,16 @@ public abstract class VirtualRoomsController : ApiControllerBase return await _securityControllerHelper.SetFolderSecurityInfoAsync(id, new[] { share }, false, null, true); } + + private async Task ErrorIfNotEditable(T id) + { + var room = await _fileStorageService.GetFolderAsync(id); + + if (!await _fileSecurity.CanEditRoomAsync(room)) + { + throw new InvalidOperationException("You don't have the rights to invite users to the room"); + } + } } public class VirtualRoomsCommonController : ApiControllerBase