Merge pull request #1019 from nextcloud/backport/1016/stable17

[stable17] Harden read only check on public endpoints

lib/Service/ApiService.php

@@ -32,6 +32,7 @@
 use OCA\Text\DocumentHasUnsavedChangesException;
 use OCA\Text\DocumentSaveConflictException;
 use OCA\Text\VersionMismatchException;
+use OCP\AppFramework\Http;
 use OCP\AppFramework\Http\DataResponse;
 use OCP\AppFramework\Http\FileDisplayResponse;
 use OCP\AppFramework\Http\NotFoundResponse;
@@ -64,6 +65,17 @@ public function create($fileId = null, $filePath = null, $token = null, $guestNa
 			$file = null;
 			if ($token) {
 				$file = $this->documentService->getFileByShareToken($token, $this->request->getParam('filePath'));
+
+				/*
+				 * Check if we have proper read access (files drop)
+				 * If not then well 404 it is.
+				 */
+				try {
+					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_READ);
+				} catch (NotFoundException $e) {
+					return new DataResponse([], Http::STATUS_NOT_FOUND);
+				}
+
 				try {
 					$this->documentService->checkSharePermissions($token, Constants::PERMISSION_UPDATE);
 					$readOnly = false;