Refactor WOPI access checks to prioritize organization membership over user ownership

2026-01-31 23:45:07 +01:00
parent 048356dddf
commit 9ac649105a
1 changed files with 38 additions and 29 deletions
--- a/go_cloud/internal/http/wopi_handlers.go
+++ b/go_cloud/internal/http/wopi_handlers.go
@@ -259,11 +259,8 @@ func wopiCheckFileInfoHandler(w http.ResponseWriter, r *http.Request, db *databa
 	canAccess := false
 	var ownerID string

-	if file.UserID != nil && *file.UserID == userID {
-		canAccess = true
-		ownerID = userID.String()
-	} else if file.OrgID != nil {
-		// Check if user is member of the org
+	// Prefer org ownership when file belongs to an org and the user is a member
+	if file.OrgID != nil {
 		member, err := db.GetOrgMember(r.Context(), *file.OrgID, userID)
 		if err == nil && member != nil {
 			canAccess = true
@@ -271,6 +268,12 @@ func wopiCheckFileInfoHandler(w http.ResponseWriter, r *http.Request, db *databa
 		}
 	}

+	// Fallback to per-user file ownership
+	if !canAccess && file.UserID != nil && *file.UserID == userID {
+		canAccess = true
+		ownerID = userID.String()
+	}
+
 	if !canAccess {
 		fmt.Printf("[WOPI-REQUEST] Access denied: file=%s user=%s\n", fileID, userID.String())
 		errors.WriteError(w, errors.CodePermissionDenied, "Access denied", http.StatusForbidden)
@@ -369,19 +372,8 @@ func wopiGetFileHandler(w http.ResponseWriter, r *http.Request, db *database.DB,
 	var webDAVClient *storage.WebDAVClient
 	var remotePath string

-	if file.UserID != nil && *file.UserID == userID {
-		canAccess = true
-		// Get user's WebDAV client - use config
-		webDAVClient, err = getUserWebDAVClient(r.Context(), db, userID, cfg.NextcloudURL, cfg.NextcloudUser, cfg.NextcloudPass)
-		if err != nil {
-			fmt.Printf("[WOPI-STORAGE] Failed to get user WebDAV client: %v\n", err)
-			errors.WriteError(w, errors.CodeInternal, "Storage error", http.StatusInternalServerError)
-			return
-		}
-		// User files: path is relative to user's WebDAV root
-		remotePath = file.Path
-	} else if file.OrgID != nil {
-		// Check if user is member of the org
+	// Prefer org storage when present and the user is a member
+	if file.OrgID != nil {
 		member, err := db.GetOrgMember(r.Context(), *file.OrgID, userID)
 		if err == nil && member != nil {
 			canAccess = true
@@ -398,6 +390,19 @@ func wopiGetFileHandler(w http.ResponseWriter, r *http.Request, db *database.DB,
 		}
 	}

+	// Fallback to per-user files
+	if !canAccess && file.UserID != nil && *file.UserID == userID {
+		canAccess = true
+		webDAVClient, err = getUserWebDAVClient(r.Context(), db, userID, cfg.NextcloudURL, cfg.NextcloudUser, cfg.NextcloudPass)
+		if err != nil {
+			fmt.Printf("[WOPI-STORAGE] Failed to get user WebDAV client: %v\n", err)
+			errors.WriteError(w, errors.CodeInternal, "Storage error", http.StatusInternalServerError)
+			return
+		}
+		// User files: path is relative to user's WebDAV root
+		remotePath = file.Path
+	}
+
 	if !canAccess {
 		fmt.Printf("[WOPI-REQUEST] GetFile - Access denied: file=%s user=%s\n", fileID, userID.String())
 		errors.WriteError(w, errors.CodePermissionDenied, "Access denied", http.StatusForbidden)
@@ -474,17 +479,8 @@ func wopiPutFileHandler(w http.ResponseWriter, r *http.Request, db *database.DB,
 	var webDAVClient *storage.WebDAVClient
 	var remotePath string

-	if file.UserID != nil && *file.UserID == userID {
-		canAccess = true
-		webDAVClient, err = getUserWebDAVClient(r.Context(), db, userID, cfg.NextcloudURL, cfg.NextcloudUser, cfg.NextcloudPass)
-		if err != nil {
-			fmt.Printf("[WOPI-STORAGE] Failed to get user WebDAV client: %v\n", err)
-			errors.WriteError(w, errors.CodeInternal, "Storage error", http.StatusInternalServerError)
-			return
-		}
-		// User files: path is relative to user's WebDAV root
-		remotePath = file.Path
-	} else if file.OrgID != nil {
+	// Prefer org storage when present and the user is a member
+	if file.OrgID != nil {
 		member, err := db.GetOrgMember(r.Context(), *file.OrgID, userID)
 		if err == nil && member != nil {
 			canAccess = true
@@ -501,6 +497,19 @@ func wopiPutFileHandler(w http.ResponseWriter, r *http.Request, db *database.DB,
 		}
 	}

+	// Fallback to per-user files
+	if !canAccess && file.UserID != nil && *file.UserID == userID {
+		canAccess = true
+		webDAVClient, err = getUserWebDAVClient(r.Context(), db, userID, cfg.NextcloudURL, cfg.NextcloudUser, cfg.NextcloudPass)
+		if err != nil {
+			fmt.Printf("[WOPI-STORAGE] Failed to get user WebDAV client: %v\n", err)
+			errors.WriteError(w, errors.CodeInternal, "Storage error", http.StatusInternalServerError)
+			return
+		}
+		// User files: path is relative to user's WebDAV root
+		remotePath = file.Path
+	}
+
 	if !canAccess {
 		fmt.Printf("[WOPI-REQUEST] PutFile - Access denied: file=%s user=%s\n", fileID, userID.String())
 		errors.WriteError(w, errors.CodePermissionDenied, "Access denied", http.StatusForbidden)