UNPKG

@sync-in/server

Version:

The secure, open-source platform for file storage, sharing, collaboration, and sync

github.com/Sync-in/server

Sync-in/server

158 lines (157 loc) 8.29 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
/* * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com> * This file is part of Sync-in | The open source file sync and share solution * See the LICENSE file for licensing details */ "use strict"; Object.defineProperty(exports, "__esModule", { value: true }); Object.defineProperty(exports, "SpaceGuard", { enumerable: true, get: function() { return SpaceGuard; } }); const _common = require("@nestjs/common"); const _core = require("@nestjs/core"); const _applicationsconstants = require("../../applications.constants"); const _collaboraonlineconstants = require("../../files/modules/collabora-online/collabora-online.constants"); const _collaboraonlineutils = require("../../files/modules/collabora-online/collabora-online.utils"); const _files = require("../../files/utils/files"); const _synccontextdecorator = require("../../sync/decorators/sync-context.decorator"); const _routes = require("../../sync/utils/routes"); const _webdavcontextdecorator = require("../../webdav/decorators/webdav-context.decorator"); const _routes1 = require("../../webdav/utils/routes"); const _spaces = require("../constants/spaces"); const _spaceoverridepermissiondecorator = require("../decorators/space-override-permission.decorator"); const _spaceskipguarddecorator = require("../decorators/space-skip-guard.decorator"); const _spaceskippermissionsdecorator = require("../decorators/space-skip-permissions.decorator"); const _spacesmanagerservice = require("../services/spaces-manager.service"); const _permissions = require("../utils/permissions"); const _routes2 = require("../utils/routes"); function _ts_decorate(decorators, target, key, desc) { var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d; if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc); else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r; return c > 3 && r && Object.defineProperty(target, key, r), r; } function _ts_metadata(k, v) { if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v); } let SpaceGuard = class SpaceGuard { static async checkPermissions(req, logger, overrideSpacePermission) { let permission; if (req.method === _applicationsconstants.HTTP_METHOD.PUT && await (0, _files.isPathExists)(req.space.realPath) && !await (0, _files.isPathIsDir)(req.space.realPath)) { // PUT method may either create a new resource or replace an existing one. // Therefore, we must check whether the target resource already exists to apply the appropriate permission rules. permission = _spaces.SPACE_OPERATION.MODIFY; } else { // The override is applied for specific POST methods that update an existing file rather than creating it. permission = overrideSpacePermission || _spaces.SPACE_HTTP_PERMISSION[req.method]; } if (!(0, _permissions.haveSpaceEnvPermissions)(req.space, permission)) { logger.warn(`is not allowed to ${req.method} on this space path : *${req.space.alias}* (${req.space.id}) : ${req.space.url}`); throw new _common.HttpException('You are not allowed to do this action', _common.HttpStatus.FORBIDDEN); } if ([ _spaces.SPACE_OPERATION.ADD, _spaces.SPACE_OPERATION.MODIFY ].indexOf(permission) > -1) { if (req.space.quotaIsExceeded) { logger.warn(`Storage quota exceeded for *${req.space.alias}* (${req.space.id})`); throw new _common.HttpException('Storage quota exceeded', _common.HttpStatus.INSUFFICIENT_STORAGE); } else if (req.space.storageQuota) { const contentLength = parseInt(req.headers['content-length'] || '0', 10) || 0; if (req.space.willExceedQuota(contentLength)) { throw new _common.HttpException('Storage quota will be exceeded', _common.HttpStatus.INSUFFICIENT_STORAGE); } } } } async canActivate(ctx) { if (this.reflector.getAllAndOverride(_spaceskipguarddecorator.SKIP_SPACE_GUARD, [ ctx.getHandler(), ctx.getClass() ])) { return true; } const req = ctx.switchToHttp().getRequest(); const webDAVContext = this.reflector.getAllAndOverride(_webdavcontextdecorator.WEB_DAV_CONTEXT, [ ctx.getHandler(), ctx.getClass() ]); const syncContext = this.reflector.getAllAndOverride(_synccontextdecorator.SYNC_CONTEXT, [ ctx.getHandler(), ctx.getClass() ]); const collaboraOnlineContext = this.reflector.getAllAndOverride(_collaboraonlineconstants.COLLABORA_CONTEXT, [ ctx.getHandler(), ctx.getClass() ]); const urlSegments = this.urlSegmentsFromContext(req, webDAVContext, syncContext, collaboraOnlineContext); this.checkAccessToSpace(req, urlSegments); let space; try { space = await this.spacesManager.spaceEnv(req.user, urlSegments); } catch (e) { this.logger.warn(`${this.canActivate.name} - ${e}`); throw new _common.HttpException('Space path is not valid', _common.HttpStatus.BAD_REQUEST); } if (!space) { this.logger.warn(`${this.canActivate.name} - space not authorized or not found : ${req.params['*']}`); throw new _common.HttpException('Space not found', _common.HttpStatus.NOT_FOUND); } if (!space.enabled) { throw new _common.HttpException('Space is disabled', _common.HttpStatus.FORBIDDEN); } // assign space to request req.space = space; const skipSpacePermissionsCheck = this.reflector.getAllAndOverride(_spaceskippermissionsdecorator.SKIP_SPACE_PERMISSIONS_CHECK, [ ctx.getHandler(), ctx.getClass() ]); if (skipSpacePermissionsCheck === undefined) { const overrideSpacePermission = this.reflector.getAllAndOverride(_spaceoverridepermissiondecorator.OverrideSpacePermission, [ ctx.getHandler(), ctx.getClass() ]); await SpaceGuard.checkPermissions(req, this.logger, overrideSpacePermission); } return true; } urlSegmentsFromContext(req, webDAVContext, syncContext, collaboraOnlineContext) { try { if (webDAVContext) { return (0, _routes1.WEBDAV_PATH_TO_SPACE_SEGMENTS)(req.params['*']); } else if (syncContext) { return (0, _routes.SYNC_PATH_TO_SPACE_SEGMENTS)(req.params['*']); } else if (collaboraOnlineContext) { return (0, _collaboraonlineutils.COLLABORA_ONLINE_TO_SPACE_SEGMENTS)(req); } return (0, _routes2.PATH_TO_SPACE_SEGMENTS)(req.params['*']); } catch (e) { this.logger.warn(`${this.canActivate.name} - ${e}`); throw new _common.HttpException(e.message, _common.HttpStatus.NOT_FOUND); } } checkAccessToSpace(req, urlSegments) { if (!(0, _permissions.canAccessToSpaceUrl)(req.user, urlSegments)) { this.logger.warn(`is not allowed to access to this space repository : ${req.params['*']}`); throw new _common.HttpException('You are not allowed to access to this repository', _common.HttpStatus.FORBIDDEN); } } constructor(reflector, spacesManager){ this.reflector = reflector; this.spacesManager = spacesManager; this.logger = new _common.Logger(SpaceGuard.name); } }; SpaceGuard = _ts_decorate([ (0, _common.Injectable)(), _ts_metadata("design:type", Function), _ts_metadata("design:paramtypes", [ typeof _core.Reflector === "undefined" ? Object : _core.Reflector, typeof _spacesmanagerservice.SpacesManager === "undefined" ? Object : _spacesmanagerservice.SpacesManager ]) ], SpaceGuard); //# sourceMappingURL=space.guard.js.map