@sync-in/server/server/applications/spaces/guards/space.guard.js

The secure, open-source platform for file storage, sharing, collaboration, and sync

/*
 * Copyright (C) 2012-2025 Johan Legrand <johan.legrand@sync-in.com>
 * This file is part of Sync-in | The open source file sync and share solution
 * See the LICENSE file for licensing details
 */ "use strict";
Object.defineProperty(exports, "__esModule", {
    value: true
});
Object.defineProperty(exports, "SpaceGuard", {
    enumerable: true,
    get: function() {
        return SpaceGuard;
    }
});
const _common = require("@nestjs/common");
const _core = require("@nestjs/core");
const _applicationsconstants = require("../../applications.constants");
const _onlyoffice = require("../../files/constants/only-office");
const _routes = require("../../files/constants/routes");
const _synccontextdecorator = require("../../sync/decorators/sync-context.decorator");
const _routes1 = require("../../sync/utils/routes");
const _webdavcontextdecorator = require("../../webdav/decorators/webdav-context.decorator");
const _routes2 = require("../../webdav/utils/routes");
const _spaces = require("../constants/spaces");
const _spaceskipguarddecorator = require("../decorators/space-skip-guard.decorator");
const _spaceskippermissionsdecorator = require("../decorators/space-skip-permissions.decorator");
const _spacesmanagerservice = require("../services/spaces-manager.service");
const _permissions = require("../utils/permissions");
const _routes3 = require("../utils/routes");
function _ts_decorate(decorators, target, key, desc) {
    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
    return c > 3 && r && Object.defineProperty(target, key, r), r;
}
function _ts_metadata(k, v) {
    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
}
let SpaceGuard = class SpaceGuard {
    static checkPermissions(req, logger, onlyOfficeContext = false) {
        let permission;
        if (onlyOfficeContext && req.method === _applicationsconstants.HTTP_METHOD.POST && req.originalUrl.startsWith(_routes.API_FILES_ONLY_OFFICE_CALLBACK)) {
            // special case : onlyoffice callback use post method to update documents
            permission = _spaces.SPACE_OPERATION.MODIFY;
        } else {
            permission = _spaces.SPACE_HTTP_PERMISSION[req.method];
        }
        if (!(0, _permissions.haveSpaceEnvPermissions)(req.space, permission)) {
            logger.warn(`is not allowed to ${req.method} on this space path : *${req.space.alias}* (${req.space.id}) : ${req.space.url}`);
            throw new _common.HttpException('You are not allowed to do this action', _common.HttpStatus.FORBIDDEN);
        }
        if ([
            _spaces.SPACE_OPERATION.ADD,
            _spaces.SPACE_OPERATION.MODIFY
        ].indexOf(permission) > -1) {
            if (req.space.quotaIsExceeded) {
                logger.warn(`Space quota is exceeded for *${req.space.alias}* (${req.space.id})`);
                throw new _common.HttpException('Space quota is exceeded', _common.HttpStatus.INSUFFICIENT_STORAGE);
            } else if (req.space.storageQuota) {
                const contentLength = parseInt(req.headers['content-length'] || '0', 10) || 0;
                if (req.space.willExceedQuota(contentLength)) {
                    throw new _common.HttpException('Quota will be exceeded', _common.HttpStatus.INSUFFICIENT_STORAGE);
                }
            }
        }
    }
    async canActivate(ctx) {
        const skipSpaceGuard = this.reflector.getAllAndOverride(_spaceskipguarddecorator.SKIP_SPACE_GUARD, [
            ctx.getHandler(),
            ctx.getClass()
        ]);
        if (skipSpaceGuard) {
            return true;
        }
        const skipSpacePermissionsCheck = this.reflector.getAllAndOverride(_spaceskippermissionsdecorator.SKIP_SPACE_PERMISSIONS_CHECK, [
            ctx.getHandler(),
            ctx.getClass()
        ]);
        const req = ctx.switchToHttp().getRequest();
        const onlyOfficeContext = this.reflector.getAllAndOverride(_onlyoffice.ONLY_OFFICE_CONTEXT, [
            ctx.getHandler(),
            ctx.getClass()
        ]);
        const webDAVContext = this.reflector.getAllAndOverride(_webdavcontextdecorator.WEB_DAV_CONTEXT, [
            ctx.getHandler(),
            ctx.getClass()
        ]);
        const syncContext = this.reflector.getAllAndOverride(_synccontextdecorator.SYNC_CONTEXT, [
            ctx.getHandler(),
            ctx.getClass()
        ]);
        const urlSegments = this.urlSegmentsFromContext(req, webDAVContext, syncContext);
        this.checkAccessToSpace(req, urlSegments);
        let space;
        try {
            space = await this.spacesManager.spaceEnv(req.user, urlSegments);
        } catch (e) {
            this.logger.warn(`${this.canActivate.name} - ${e}`);
            throw new _common.HttpException('Space path is not valid', _common.HttpStatus.BAD_REQUEST);
        }
        if (!space) {
            this.logger.warn(`${this.canActivate.name} - space not authorized or not found : ${req.params['*']}`);
            throw new _common.HttpException('Space not found', _common.HttpStatus.NOT_FOUND);
        }
        if (!space.enabled) {
            throw new _common.HttpException('Space is disabled', _common.HttpStatus.FORBIDDEN);
        }
        // assign space to request
        req.space = space;
        if (skipSpacePermissionsCheck === undefined) {
            SpaceGuard.checkPermissions(req, this.logger, onlyOfficeContext);
        }
        return true;
    }
    urlSegmentsFromContext(req, webDAVContext, syncContext) {
        if (webDAVContext || syncContext) {
            try {
                if (webDAVContext) {
                    return (0, _routes2.WEBDAV_PATH_TO_SPACE_SEGMENTS)(req.params['*']);
                } else {
                    return (0, _routes1.SYNC_PATH_TO_SPACE_SEGMENTS)(req.params['*']);
                }
            } catch (e) {
                this.logger.warn(`${this.canActivate.name} - ${e}`);
                throw new _common.HttpException(e.message, _common.HttpStatus.NOT_FOUND);
            }
        }
        return (0, _routes3.PATH_TO_SPACE_SEGMENTS)(req.params['*']);
    }
    checkAccessToSpace(req, urlSegments) {
        if (!(0, _permissions.canAccessToSpaceUrl)(req.user, urlSegments)) {
            this.logger.warn(`is not allowed to access to this space repository : ${req.params['*']}`);
            throw new _common.HttpException('You are not allowed to access to this repository', _common.HttpStatus.FORBIDDEN);
        }
    }
    constructor(reflector, spacesManager){
        this.reflector = reflector;
        this.spacesManager = spacesManager;
        this.logger = new _common.Logger(SpaceGuard.name);
    }
};
SpaceGuard = _ts_decorate([
    (0, _common.Injectable)(),
    _ts_metadata("design:type", Function),
    _ts_metadata("design:paramtypes", [
        typeof _core.Reflector === "undefined" ? Object : _core.Reflector,
        typeof _spacesmanagerservice.SpacesManager === "undefined" ? Object : _spacesmanagerservice.SpacesManager
    ])
], SpaceGuard);

//# sourceMappingURL=space.guard.js.map