Files
vikunja/pkg/models/link_sharing_permissions.go
kolaente bcade97fa4 fix(link-sharing): resolve share read permission via project id so by-id reads work
LinkSharing.CanRead resolved the parent project from the share hash, but a
by-id read (GET /projects/{project}/shares/{share}) only carries the numeric
id, never the hash — so the project lookup returned ErrProjectShareDoesNotExist
and every read-one 404'd, even for the share's owner. This affected both v1 and
v2.

Resolve the project from ProjectID when it is set (the by-id read path), keeping
the hash lookup as a fallback for resolving a share purely by its public hash.
The permission semantic is unchanged — you can read a share if you can read its
parent project; only the project lookup changes. ReadOne still scopes by
id AND project_id, so a share id from another project the caller can access is
not leaked (404, no IDOR).

Flips the v2 webtest's pinned 404 cases to assert success and adds the
cross-project IDOR and non-member negatives.
2026-06-05 09:17:25 +00:00

84 lines
2.7 KiB
Go

// Vikunja is a to-do list application to facilitate your life.
// Copyright 2018-present Vikunja and contributors. All rights reserved.
//
// This program is free software: you can redistribute it and/or modify
// it under the terms of the GNU Affero General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// This program is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Affero General Public License for more details.
//
// You should have received a copy of the GNU Affero General Public License
// along with this program. If not, see <https://www.gnu.org/licenses/>.
package models
import (
"code.vikunja.io/api/pkg/web"
"xorm.io/xorm"
)
// CanRead implements the read permission check for a link share
func (share *LinkSharing) CanRead(s *xorm.Session, a web.Auth) (bool, int, error) {
// Don't allow creating link shares if the user itself authenticated with a link share
if _, is := a.(*LinkSharing); is {
return false, 0, nil
}
// A by-id read carries the parent project but no hash, so resolve the
// project from ProjectID; only fall back to the hash lookup when ProjectID
// is absent (e.g. resolving a share purely by its public hash).
var project *Project
if share.ProjectID != 0 {
var err error
project, err = GetProjectSimpleByID(s, share.ProjectID)
if err != nil {
return false, 0, err
}
} else {
var err error
project, err = GetProjectByShareHash(s, share.Hash)
if err != nil {
return false, 0, err
}
}
return project.CanRead(s, a)
}
// CanDelete implements the delete permission check for a link share
func (share *LinkSharing) CanDelete(s *xorm.Session, a web.Auth) (bool, error) {
return share.canDoLinkShare(s, a)
}
// CanUpdate implements the update permission check for a link share
func (share *LinkSharing) CanUpdate(s *xorm.Session, a web.Auth) (bool, error) {
return share.canDoLinkShare(s, a)
}
// CanCreate implements the create permission check for a link share
func (share *LinkSharing) CanCreate(s *xorm.Session, a web.Auth) (bool, error) {
return share.canDoLinkShare(s, a)
}
func (share *LinkSharing) canDoLinkShare(s *xorm.Session, a web.Auth) (bool, error) {
// Don't allow creating link shares if the user itself authenticated with a link share
if _, is := a.(*LinkSharing); is {
return false, nil
}
l, err := GetProjectSimpleByID(s, share.ProjectID)
if err != nil {
return false, err
}
// Check if the user is admin when the link permission is admin
if share.Permission == PermissionAdmin {
return l.IsAdmin(s, a)
}
return l.CanWrite(s, a)
}