From ee0bfc42fee72dc4a2c5e266ae7cb2c8f631b7e0 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Mon, 26 Aug 2024 16:25:01 +0200
Subject: [PATCH 1/2] fix: Skip disabled download files when requesting assets
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 lib/Controller/AssetsController.php | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/lib/Controller/AssetsController.php b/lib/Controller/AssetsController.php
index d7792a6017..90b73d3578 100644
--- a/lib/Controller/AssetsController.php
+++ b/lib/Controller/AssetsController.php
@@ -6,6 +6,7 @@
 
 namespace OCA\Richdocuments\Controller;
 
+use OCA\Files_Sharing\SharedStorage;
 use OCA\Richdocuments\Controller\Attribute\RestrictToWopiServer;
 use OCA\Richdocuments\Db\AssetMapper;
 use OCA\Richdocuments\Service\UserScopeService;
@@ -18,6 +19,7 @@
 use OCP\Files\File;
 use OCP\Files\IRootFolder;
 use OCP\Files\NotFoundException;
+use OCP\Files\NotPermittedException;
 use OCP\IRequest;
 use OCP\IURLGenerator;
 
@@ -56,8 +58,24 @@ public function create($path) {
 
 		try {
 			$node = $userFolder->get($path);
+
+			if (!($node instanceof File)) {
+				return new JSONResponse([], Http::STATUS_NOT_FOUND);
+			}
+
+			$storage = $node->getStorage();
+			if ($storage->instanceOfStorage(SharedStorage::class)) {
+				/** @var SharedStorage $storage */
+				$share = $storage->getShare();
+				$attributes = $share->getAttributes();
+				if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) {
+					throw new NotPermittedException();
+				}
+			}
 		} catch (NotFoundException $e) {
 			return new JSONResponse([], Http::STATUS_NOT_FOUND);
+		} catch (NotPermittedException $e) {
+			return new JSONResponse([], Http::STATUS_FORBIDDEN);
 		}
 
 		$asset = $this->assetMapper->newAsset($this->userId, $node->getId());

From 89eee2fdea248e44bf800daf78f7446f123d0e76 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julius=20H=C3=A4rtl?= <jus@bitgrid.net>
Date: Mon, 26 Aug 2024 16:37:40 +0200
Subject: [PATCH 2/2] fix: Filter out non-downloadable files in image picker
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Julius Härtl <jus@bitgrid.net>
---
 src/view/FilesAppIntegration.js | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/view/FilesAppIntegration.js b/src/view/FilesAppIntegration.js
index 10ec5f37c7..b1d8631e33 100644
--- a/src/view/FilesAppIntegration.js
+++ b/src/view/FilesAppIntegration.js
@@ -166,6 +166,11 @@ export default {
 
 		getFilePickerBuilder(t('richdocuments', 'Insert image from {name}', { name: OC.theme.name }))
 			.setMimeTypeFilter(['image/png', 'image/gif', 'image/jpeg', 'image/svg'])
+			.setFilter((node) => {
+				const downloadShareAttribute = JSON.parse(node.attributes['share-attributes']).find((shareAttribute) => shareAttribute.key === 'download')
+				const downloadPermissions = downloadShareAttribute !== undefined ? (downloadShareAttribute.enabled || downloadShareAttribute.value) : true
+				return (node.permissions & OC.PERMISSION_READ) && downloadPermissions
+			})
 			.addButton({
 				label: t('richdocuments', 'Insert image'),
 				callback: (files) => {