From 1f66c66ad3a5e830c17a7f2fc43f0ec6901d492b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Mon, 31 Oct 2022 11:55:39 +0100
Subject: [PATCH] Unify getting the share for attachments
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Service/FilesAppService.php | 30 ++++++++++++++++++++++++++----
 1 file changed, 26 insertions(+), 4 deletions(-)

diff --git a/lib/Service/FilesAppService.php b/lib/Service/FilesAppService.php
index 3fa399078..09e0c16da 100644
--- a/lib/Service/FilesAppService.php
+++ b/lib/Service/FilesAppService.php
@@ -138,7 +138,7 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 
 	public function extendData(Attachment $attachment) {
 		$userFolder = $this->rootFolder->getUserFolder($this->userId);
-		$share = $this->shareProvider->getShareById($attachment->getId());
+		$share = $this->getShareForAttachment($attachment);
 		$files = $userFolder->getById($share->getNode()->getId());
 		if (count($files) === 0) {
 			return $attachment;
@@ -161,7 +161,7 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 		// Problem: Folders
 		/** @psalm-suppress InvalidCatch */
 		try {
-			$share = $this->shareProvider->getShareById($attachment->getId());
+			$share = $this->getShareForAttachment($attachment);
 		} catch (ShareNotFound $e) {
 			throw new NotFoundException('File not found');
 		}
@@ -241,7 +241,7 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 	}
 
 	public function update(Attachment $attachment) {
-		$share = $this->shareProvider->getShareById($attachment->getId());
+		$share = $this->getShareForAttachment($attachment);
 		$target = $share->getNode();
 		$file = $this->getUploadedFile();
 		$fileName = $file['name'];
@@ -258,8 +258,13 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 		return $attachment;
 	}
 
+	/**
+	 * @throws NoPermissionException
+	 * @throws NotFoundException
+	 * @throws ShareNotFound
+	 */
 	public function delete(Attachment $attachment) {
-		$share = $this->shareProvider->getShareById($attachment->getId());
+		$share = $this->getShareForAttachment($attachment);
 		$file = $share->getNode();
 		$attachment->setData($file->getName());
 
@@ -282,4 +287,21 @@ class FilesAppService implements IAttachmentService, ICustomAttachmentService {
 	public function markAsDeleted(Attachment $attachment) {
 		throw new \Exception('Not implemented');
 	}
+
+	/**
+	 * @throws NoPermissionException
+	 */
+	private function getShareForAttachment(Attachment $attachment): IShare {
+		try {
+			$share = $this->shareProvider->getShareById($attachment->getId());
+		} catch (ShareNotFound $e) {
+			throw new NoPermissionException('No permission to access the attachment from the card');
+		}
+
+		if ((int)$share->getSharedWith() !== (int)$attachment->getCardId()) {
+			throw new NoPermissionException('No permission to access the attachment from the card');
+		}
+
+		return $share;
+	}
 }