diff --git a/appinfo/routes.php b/appinfo/routes.php index 397843e..6637040 100644 --- a/appinfo/routes.php +++ b/appinfo/routes.php @@ -5,7 +5,7 @@ return [ ['name' => 'pubPage#getByToken', 'url' => '/s/{token}'], ['name' => 'pubPage#getByTokenAndPath', 'url' => '/s/{token}/{path}', 'requirements' => array('path' => '.+')], - ['name' => 'privatePage#getByPath', 'url' => '/files/{path}', + ['name' => 'privatePage#getByPath', 'url' => '/u/{userId}/{path}', 'requirements' => array('path' => '.+')], ] ]; diff --git a/lib/Controller/PrivatePageController.php b/lib/Controller/PrivatePageController.php index c87dd2c..3bb8e48 100644 --- a/lib/Controller/PrivatePageController.php +++ b/lib/Controller/PrivatePageController.php @@ -11,7 +11,8 @@ use OCP\Files\NotFoundException; class PrivatePageController extends Controller { use RawResponse; - private $userFolder; + private $loggedInUserId; + private $serverContainer; public function __construct( $AppName, @@ -20,19 +21,28 @@ class PrivatePageController extends Controller { IServerContainer $serverContainer ) { parent::__construct($AppName, $request); - $this->userFolder = $serverContainer->getUserFolder($UserId); + $this->loggedInUserId = $UserId; + $this->serverContainer = $serverContainer; } /** * @NoAdminRequired * @NoCSRFRequired */ - public function getByPath($path) { - if (!$this->userFolder) { + public function getByPath($userId, $path) { + if ($userId !== $this->loggedInUserId) { + // TODO Currently, we only allow access to one's own files. I suppose we could implement + // authorisation checks and give the user access to files that have been shared with them. + return new NotFoundResponse(); // would 403 Forbidden be better? + } + + $userFolder = $this->serverContainer->getUserFolder($userId); + if (!$userFolder) { return new NotFoundResponse(); } + try { - $node = $this->userFolder->get($path); + $node = $userFolder->get($path); } catch (NotFoundException $e) { return new NotFoundResponse(); }