From 5e693b53988d2e5b855a39d86cac7d6a14e37c3b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Thu, 15 Jan 2026 16:57:42 +0100 Subject: [PATCH 1/3] fix(files_sharing): Fix BeforeZipCreatedListener path handling MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Path of directory is relative to root folder, not user folder. Signed-off-by: Côme Chilliet --- .../lib/Listener/BeforeZipCreatedListener.php | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php b/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php index 1fc62bfe0fa58..882da07dcddae 100644 --- a/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php +++ b/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php @@ -35,16 +35,20 @@ public function handle(Event $event): void { $dir = $event->getDirectory(); $files = $event->getFiles(); - $pathsToCheck = []; - foreach ($files as $file) { - $pathsToCheck[] = $dir . '/' . $file; + if (empty($files)) { + $pathsToCheck = [$dir]; + } else { + $pathsToCheck = []; + foreach ($files as $file) { + $pathsToCheck[] = $dir . '/' . $file; + } } // Check only for user/group shares. Don't restrict e.g. share links $user = $this->userSession->getUser(); if ($user) { $viewOnlyHandler = new ViewOnly( - $this->rootFolder->getUserFolder($user->getUID()) + $this->rootFolder ); if (!$viewOnlyHandler->check($pathsToCheck)) { $event->setErrorMessage('Access to this resource or one of its sub-items has been denied.'); From 460d63772b98869f767c9936367100441c61b33f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Mon, 19 Jan 2026 11:22:17 +0100 Subject: [PATCH 2/3] fix(files_sharing): Switch back event path to be relative to user folder MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This is clearly the original intent, the parameter name in ViewOnly is $userFolder, and the similar event for single file download uses paths relative to user folder as well. Signed-off-by: Côme Chilliet --- .../lib/Listener/BeforeZipCreatedListener.php | 2 +- apps/files_sharing/lib/ViewOnly.php | 2 +- lib/public/Files/Events/BeforeZipCreatedEvent.php | 9 +++++++-- 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php b/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php index 882da07dcddae..b6339c3420838 100644 --- a/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php +++ b/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php @@ -48,7 +48,7 @@ public function handle(Event $event): void { $user = $this->userSession->getUser(); if ($user) { $viewOnlyHandler = new ViewOnly( - $this->rootFolder + $this->rootFolder->getUserFolder($user->getUID()) ); if (!$viewOnlyHandler->check($pathsToCheck)) { $event->setErrorMessage('Access to this resource or one of its sub-items has been denied.'); diff --git a/apps/files_sharing/lib/ViewOnly.php b/apps/files_sharing/lib/ViewOnly.php index e075677248abe..382eb190a8936 100644 --- a/apps/files_sharing/lib/ViewOnly.php +++ b/apps/files_sharing/lib/ViewOnly.php @@ -24,7 +24,7 @@ public function __construct( } /** - * @param string[] $pathsToCheck + * @param string[] $pathsToCheck paths to check, relative to the user folder * @return bool */ public function check(array $pathsToCheck): bool { diff --git a/lib/public/Files/Events/BeforeZipCreatedEvent.php b/lib/public/Files/Events/BeforeZipCreatedEvent.php index 0363d385d364c..34b315cf813d1 100644 --- a/lib/public/Files/Events/BeforeZipCreatedEvent.php +++ b/lib/public/Files/Events/BeforeZipCreatedEvent.php @@ -21,12 +21,13 @@ * @since 25.0.0 */ class BeforeZipCreatedEvent extends Event { - private string $directory; + private ?string $directory = null; private bool $successful = true; private ?string $errorMessage = null; private ?Folder $folder = null; /** + * @param string|Folder $directory Folder instance, or (deprecated) string path relative to user folder * @param list $files * @since 25.0.0 * @since 31.0.0 support `OCP\Files\Folder` as `$directory` parameter - passing a string is deprecated now @@ -37,7 +38,6 @@ public function __construct( ) { parent::__construct(); if ($directory instanceof Folder) { - $this->directory = $directory->getPath(); $this->folder = $directory; } else { $this->directory = $directory; @@ -53,8 +53,13 @@ public function getFolder(): ?Folder { /** * @since 25.0.0 + * @deprecated 33.0.0 Use getFolder instead and use node API + * @return string returns folder path relative to user folder */ public function getDirectory(): string { + if ($this->folder instanceof Folder) { + return preg_replace('|^/[^/]+/files/|', '/', $this->folder->getPath()); + } return $this->directory; } From 0720e2644faffeba2242e6f28b927c18898d8dfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?C=C3=B4me=20Chilliet?= Date: Tue, 20 Jan 2026 14:32:58 +0100 Subject: [PATCH 3/3] chore: fix or suppress psalm errors for BeforeZipCreatedEvent MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Côme Chilliet --- apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php | 1 + lib/public/Files/Events/BeforeZipCreatedEvent.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php b/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php index b6339c3420838..e638a088fbe1b 100644 --- a/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php +++ b/apps/files_sharing/lib/Listener/BeforeZipCreatedListener.php @@ -32,6 +32,7 @@ public function handle(Event $event): void { return; } + /** @psalm-suppress DeprecatedMethod should be migrated to getFolder but for now it would just duplicate code */ $dir = $event->getDirectory(); $files = $event->getFiles(); diff --git a/lib/public/Files/Events/BeforeZipCreatedEvent.php b/lib/public/Files/Events/BeforeZipCreatedEvent.php index 34b315cf813d1..ea84da64a1d4b 100644 --- a/lib/public/Files/Events/BeforeZipCreatedEvent.php +++ b/lib/public/Files/Events/BeforeZipCreatedEvent.php @@ -21,7 +21,7 @@ * @since 25.0.0 */ class BeforeZipCreatedEvent extends Event { - private ?string $directory = null; + private string $directory = ''; private bool $successful = true; private ?string $errorMessage = null; private ?Folder $folder = null;