Merge pull request #6878 from AIlkiv/fix/attachments-authenticated-view

fix: attachment visibility for authenticated users via shared links
nextcloud · Feb 5, 2025 · 40a655a · 40a655a
2 parents 5ab02b2 + e089475
commit 40a655a
Showing 1 changed file with 11 additions and 8 deletions.
diff --git a/lib/Middleware/SessionMiddleware.php b/lib/Middleware/SessionMiddleware.php
@@ -123,12 +123,14 @@ private function assertDocumentSession(ISessionAwareController $controller): voi
 	private function assertUserOrShareToken(ISessionAwareController $controller): void {
 		$documentId = (int)$this->request->getParam('documentId');
 		if (null !== $userId = $this->userSession->getUser()?->getUID()) {
-			// Check if user has access to document
-			if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) === null) {
-				throw new InvalidSessionException();
+			if ($this->rootFolder->getUserFolder($userId)->getFirstNodeById($documentId) !== null) {
+				$controller->setUserId($userId);
+				$controller->setDocumentId($documentId);
+				return;
 			}
-			$controller->setUserId($userId);
-		} elseif ('' !== $shareToken = (string)$this->request->getParam('shareToken')) {
+		}
+
+		if ('' !== $shareToken = (string)$this->request->getParam('shareToken')) {
 			try {
 				$share = $this->shareManager->getShareByToken($shareToken);
 			} catch (ShareNotFound) {
@@ -155,11 +157,12 @@ private function assertUserOrShareToken(ISessionAwareController $controller): vo
 			if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
 				throw new InvalidSessionException();
 			}
-		} else {
-			throw new InvalidSessionException();
+
+			$controller->setDocumentId($documentId);
+			return;
 		}
 
-		$controller->setDocumentId($documentId);
+		throw new InvalidSessionException();
 	}
 
 	public function afterException($controller, $methodName, \Exception $exception): JSONResponse|Response {