fix(richdocuments): gate conversion with SecureViewService check#5635
fix(richdocuments): gate conversion with SecureViewService check#5635chrip wants to merge 2 commits into
Conversation
juliusknorr
force-pushed
the
fix/richdocuments-secureview-conversion-bypass
branch
from
de711e7 to
6d71a90
Compare
|
Hello there, We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process. Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6 Thank you for contributing to Nextcloud and we hope to hear from you soon! (If you believe you should not receive this message, you can add yourself to the blocklist.) |
Server-side conversion bypassed the Secure View / watermark restriction that the viewer enforces, allowing a user with view-only secure access to download a clean copy via the conversion API. Reuse SecureViewService (same logic the viewer uses) to deny conversion for files that should be secured. Handle the documented NotFoundException so a cache miss surfaces as a clear, translated error instead of a 500. Signed-off-by: Christoph Schaefer <christoph.schaefer@nextcloud.com>
Confirmed: with the tryOpen=false change applied, the conversion is blocked with the translated "Conversion is blocked because the file is protected by Secure View." message in the log, instead of the ForbiddenException 500 that occurs with the default tryOpen=true (because fopen() on the SecureView wrapper throws). Accepting the suggestion. Thanks! Co-authored-by: Elizabeth Danzberger <elizabeth@elzody.dev> Signed-off-by: Christoph Schaefer <christoph.schaefer@nextcloud.com>
juliusknorr
force-pushed
the
fix/richdocuments-secureview-conversion-bypass
branch
from
6d71a90 to
dde412f
Compare
4 participants
Server-side conversion bypassed the Secure View / watermark restriction that the viewer enforces, allowing a user with view-only secure access to download a clean copy via the conversion API. Reuse SecureViewService (same logic the viewer uses) to deny conversion for files that should be secured. Handle the documented NotFoundException so a cache miss surfaces as a clear, translated error instead of a 500.
Summary
TODO
apps/files/src/actions/convertAction.tsChecklist