From 0519b4a71b236e464c9d1136065e8f5ba15def8e Mon Sep 17 00:00:00 2001 From: KernelDeimos Date: Sat, 17 Aug 2024 16:36:52 -0400 Subject: [PATCH] fix: require confirmed email for public folder --- src/backend/src/services/auth/ACLService.js | 20 +++++++++++++++----- 1 file changed, 15 insertions(+), 5 deletions(-) diff --git a/src/backend/src/services/auth/ACLService.js b/src/backend/src/services/auth/ACLService.js index 9cbc98ab..72d5d66d 100644 --- a/src/backend/src/services/auth/ACLService.js +++ b/src/backend/src/services/auth/ACLService.js @@ -18,7 +18,6 @@ */ const APIError = require("../../api/APIError"); const { NodePathSelector } = require("../../filesystem/node/selectors"); -const { get_user } = require("../../helpers"); const { Context } = require("../../util/context"); const BaseService = require("../BaseService"); const { AppUnderUserActorType, UserActorType, Actor, SystemActorType, AccessTokenActorType } = require("./Actor"); @@ -64,10 +63,21 @@ class ACLService extends BaseService { // Hard rule: anyone and anything can read /user/public directories if ( this.global_config.enable_public_folders ) { - const public_modes = ['read', 'list', 'see']; - if ( public_modes.includes(mode) ) { - if ( await fsNode.isPublic() ) return true; - } + const public_modes = Object.freeze(['read', 'list', 'see']); + let is_public; + await (async () => { + if ( ! public_modes.includes(mode) ) return; + if ( ! (await fsNode.isPublic()) ) return; + + const svc_getUser = this.services.get('get-user'); + + const username = await fsNode.getUserPart(); + const user = await svc_getUser.get_user({ username }); + if ( ! user.email_confirmed ) return; + + is_public = true; + })(); + if ( is_public ) return true; } // Access tokens only work if the authorizer has permission