Permissions check on credential update api

controller/credentialcontroller.php

@@ -11,6 +11,9 @@
 
 namespace OCA\Passman\Controller;
 
+use OCA\Passman\Db\SharingACL;
+use OCP\AppFramework\Http;
+use OCP\AppFramework\Http\DataResponse;
 use OCP\IRequest;
 use OCP\AppFramework\Http\JSONResponse;
 use OCP\AppFramework\ApiController;
@@ -18,24 +21,29 @@ use OCA\Passman\Service\CredentialService;
 use OCA\Passman\Activity;
 use OCA\Passman\Service\ActivityService;
 use OCA\Passman\Service\CredentialRevisionService;
+use OCA\Passman\Service\ShareService;
 
 class CredentialController extends ApiController {
 	private $userId;
 	private $credentialService;
 	private $activityService;
 	private $credentialRevisionService;
+    private $sharingService;
 
 	public function __construct($AppName,
 								IRequest $request,
 								$UserId,
 								CredentialService $credentialService,
 								ActivityService $activityService,
-								CredentialRevisionService $credentialRevisionService) {
+								CredentialRevisionService $credentialRevisionService,
+                                ShareService $sharingService
+    ) {
 		parent::__construct($AppName, $request);
 		$this->userId = $UserId;
 		$this->credentialService = $credentialService;
 		$this->activityService = $activityService;
 		$this->credentialRevisionService = $credentialRevisionService;
+        $this->sharingService = $sharingService;
 	}
 
 	/**
@@ -120,6 +128,12 @@ class CredentialController extends ApiController {
 		);
 
 		$storedCredential = $this->credentialService->getCredentialById($credential_id, $this->userId);
+        if ($storedCredential->getUserId() !== $this->userId){
+            $acl = $this->sharingService->getCredentialAclForUser($this->userId, $storedCredential->getGuid());
+            if (!$acl->hasPermission(SharingACL::WRITE)){
+                return new DataResponse(['msg' => 'Not authorized'], Http::STATUS_UNAUTHORIZED);
+            }
+        }
 
 		$link = ''; // @TODO create direct link to credential
 		if ($revision_created) {

lib/Service/CredentialService.php

@@ -11,6 +11,8 @@
 
 namespace OCA\Passman\Service;
 
+use OCA\Passman\Db\SharingACL;
+use OCA\Passman\Db\SharingACLMapper;
 use OCP\IConfig;
 use OCP\AppFramework\Db\DoesNotExistException;
 
@@ -20,9 +22,11 @@ use OCA\Passman\Db\CredentialMapper;
 class CredentialService {
 
 	private $credentialMapper;
+    private $sharingACL;
 
-	public function __construct(CredentialMapper $credentialMapper) {
+	public function __construct(CredentialMapper $credentialMapper, SharingACLMapper $sharingACL) {
 		$this->credentialMapper = $credentialMapper;
+        $this->sharingACL = $sharingACL;
 	}
 
 	public function createCredential($credential) {
@@ -58,6 +62,13 @@ class CredentialService {
         if ($credential->getUserId() == $user_id){
             return $credential;
         }
+        else {
+            $acl = $this->sharingACL->getItemACL($user_id, $credential->getGuid());
+            if ($acl->hasPermission(SharingACL::READ));
+            return $credential;
+        }
+
+        throw new DoesNotExistException("Did expect one result but found none when executing");
 	}
 	public function getCredentialLabelById($credential_id){
 		return $this->credentialMapper->getCredentialLabelById($credential_id);

lib/Service/ShareService.php

@@ -167,6 +167,16 @@ class ShareService {
 		return $this->sharingACL->getCredentialAclList($item_guid);
 	}
 
+    /**
+     * Gets the ACL on the credential for the user
+     * @param $user_id
+     * @param $item_guid
+     * @return SharingACL
+     */
+	public function getCredentialAclForUser($user_id, $item_guid){
+	    return $this->sharingACL->getItemACL($user_id, $item_guid);
+    }
+
 	/**
 	 * Get pending share requests by guid
 	 *