Files: fix security

2022-10-17 18:21:40 +03:00 · 2022-10-17 18:21:40 +03:00 · a1ee600ae6
commit a1ee600ae6
parent 9ed0b00594
5 changed files with 20 additions and 18 deletions
--- a/products/ASC.Files/Core/Core/FileStorageService.cs
+++ b/products/ASC.Files/Core/Core/FileStorageService.cs
@ -1166,7 +1166,7 @@ public class FileStorageService<T> //: IFileStorageService
    {
        var fileDao = GetFileDao();
        var file = await fileDao.GetFileAsync(fileId);
-        ErrorIf(!await _fileSecurity.CanReadAsync(file), FilesCommonResource.ErrorMassage_SecurityException_ReadFile);
+        ErrorIf(!await _fileSecurity.CanReadHistoryAsync(file), FilesCommonResource.ErrorMassage_SecurityException_ReadFile);

        await foreach (var r in fileDao.GetFileHistoryAsync(fileId))
        {
--- a/products/ASC.Files/Core/Core/Security/FileSecurity.cs
+++ b/products/ASC.Files/Core/Core/Security/FileSecurity.cs
@ -98,6 +98,16 @@ public class FileSecurity : IFileSecurity
        return CanAsync(entry, userId, FilesSecurityActions.Read);
    }

+    public Task<bool> CanReadHistoryAsync<T>(FileEntry<T> entry)
+    {
+        return CanAsync(entry, _authContext.CurrentAccount.ID, FilesSecurityActions.ReadHistory);
+    }
+
+    public Task<bool> CanReadHistoryAsync<T>(FileEntry<T> entry, Guid userId)
+    {
+        return CanAsync(entry, userId, FilesSecurityActions.ReadHistory);
+    }
+
    public Task<bool> CanCommentAsync<T>(FileEntry<T> entry, Guid userId)
    {
        return CanAsync(entry, userId, FilesSecurityActions.Comment);
@ -766,11 +776,11 @@ public class FileSecurity : IFileSecurity
            {
                return true;
            }
-            else if (action == FilesSecurityActions.Comment && (e.Access == FileShare.Comment || e.Access == FileShare.Review || e.Access == FileShare.CustomFilter || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
+            else if (action == FilesSecurityActions.Comment && (e.Access == FileShare.Comment || e.Access == FileShare.Review || e.Access == FileShare.CustomFilter || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing || e.Access == FileShare.FillForms))
            {
                return true;
            }
-            else if (action == FilesSecurityActions.FillForms && (e.Access == FileShare.FillForms || e.Access == FileShare.Review || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
+            else if (action == FilesSecurityActions.FillForms && (e.Access == FileShare.FillForms || e.Access == FileShare.ReadWrite || e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
            {
                return true;
            }
@ -798,6 +808,10 @@ public class FileSecurity : IFileSecurity
            {
                return true;
            }
+            else if (action == FilesSecurityActions.ReadHistory && (e.Access == FileShare.RoomAdmin || e.Access == FileShare.Editing))
+            {
+                return true;
+            }
            else if (e.Access != FileShare.Restrict && e.CreateBy == userId && (e.FileEntryType == FileEntryType.File || folder.FolderType != FolderType.COMMON))
            {
                return true;
@ -1519,6 +1533,7 @@ public class FileSecurity : IFileSecurity
        Delete,
        CustomFilter,
        RoomEdit,
-        Rename
+        Rename,
+        ReadHistory
    }
 }
--- a/products/ASC.Files/Core/Services/DocumentService/DocumentServiceHelper.cs
+++ b/products/ASC.Files/Core/Services/DocumentService/DocumentServiceHelper.cs
@ -128,14 +128,6 @@ public class DocumentServiceHelper

        var rightModifyFilter = rightToEdit;

-        if (linkRight == FileShare.Restrict && _userManager.IsVisitor(_authContext.CurrentAccount.ID))
-        {
-            rightToEdit = false;
-            rightToReview = false;
-            rightToFillForms = false;
-            rightToComment = false;
-        }
-
        rightToEdit = rightToEdit
                      && (linkRight == FileShare.ReadWrite || linkRight == FileShare.CustomFilter
                          || await _fileSecurity.CanEditAsync(file) || await _fileSecurity.CanCustomFilterEditAsync(file));
--- a/products/ASC.Files/Core/Utils/EntryManager.cs
+++ b/products/ASC.Files/Core/Utils/EntryManager.cs
@ -1482,8 +1482,7 @@ public class EntryManager
                && !await _fileSecurity.CanCustomFilterEditAsync(file, userId)
                && !await _fileSecurity.CanReviewAsync(file, userId)
                && !await _fileSecurity.CanFillFormsAsync(file, userId)
-                && !await _fileSecurity.CanCommentAsync(file, userId)
-                || _userManager.IsVisitor(userId)))
+                && !await _fileSecurity.CanCommentAsync(file, userId)))
        {
            throw new SecurityException(FilesCommonResource.ErrorMassage_SecurityException_EditFile);
        }
--- a/products/ASC.Files/Core/Utils/FileSharing.cs
+++ b/products/ASC.Files/Core/Utils/FileSharing.cs
@ -481,10 +481,6 @@ public class FileSharing
                    continue;
                }
            }
-            else if (_userManager.IsVisitor(u) && new FileShareRecord.ShareComparer().Compare(FileShare.Read, share) > 0)
-            {
-                share = FileShare.Read;
-            }

            var w = new AceWrapper
            {