feat: Add guest file uploads and add deletion for note owners

Signed-off-by: Yannick Bungers <git@innay.de> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-05-13 22:54:42 -04:00 · 2023-03-25 17:47:46 +01:00 · 2023-03-25 17:47:46 +01:00 · 485f7cd338
commit 485f7cd338
parent 0f464dedfe
8 changed files with 244 additions and 68 deletions
--- a/backend/src/api/private/media/media.controller.ts
+++ b/backend/src/api/private/media/media.controller.ts
@ -23,10 +23,12 @@ import { MediaUploadDto } from '../../../media/media-upload.dto';
 import { MediaService } from '../../../media/media.service';
 import { MulterFile } from '../../../media/multer-file.interface';
 import { Note } from '../../../notes/note.entity';
-import { NotesService } from '../../../notes/notes.service';
+import { Permission } from '../../../permissions/permissions.enum';
 import { User } from '../../../users/user.entity';
 import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
 import { OpenApi } from '../../utils/openapi.decorator';
+import { Permissions } from '../../utils/permissions.decorator';
+import { PermissionsGuard } from '../../utils/permissions.guard';
 import { RequestNote } from '../../utils/request-note.decorator';
 import { RequestUser } from '../../utils/request-user.decorator';

@ -38,7 +40,6 @@ export class MediaController {
  constructor(
    private readonly logger: ConsoleLoggerService,
    private mediaService: MediaService,
-    private noteService: NotesService,
  ) {
    this.logger.setContext(MediaController.name);
  }
@ -60,8 +61,10 @@ export class MediaController {
    name: 'HedgeDoc-Note',
    description: 'ID or alias of the parent note',
  })
+  @UseGuards(PermissionsGuard)
  @UseInterceptors(FileInterceptor('file'))
  @UseInterceptors(NoteHeaderInterceptor)
+  @Permissions(Permission.WRITE)
  @OpenApi(
    {
      code: 201,
@ -76,15 +79,22 @@ export class MediaController {
  async uploadMedia(
    @UploadedFile() file: MulterFile | undefined,
    @RequestNote() note: Note,
-    @RequestUser() user: User,
+    @RequestUser({ guestsAllowed: true }) user: User | null,
  ): Promise<MediaUploadDto> {
    if (file === undefined) {
      throw new BadRequestException('Request does not contain a file');
    }
-    this.logger.debug(
-      `Received filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
-      'uploadMedia',
-    );
+    if (user) {
+      this.logger.debug(
+        `Received filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
+        'uploadMedia',
+      );
+    } else {
+      this.logger.debug(
+        `Received filename '${file.originalname}' for note '${note.id}' from not logged in user`,
+        'uploadMedia',
+      );
+    }
    const upload = await this.mediaService.saveFile(file.buffer, user, note);
    return await this.mediaService.toMediaUploadDto(upload);
  }
@ -95,21 +105,29 @@ export class MediaController {
    @RequestUser() user: User,
    @Param('filename') filename: string,
  ): Promise<void> {
-    const username = user.username;
-    this.logger.debug(
-      `Deleting '${filename}' for user '${username}'`,
-      'deleteMedia',
-    );
    const mediaUpload = await this.mediaService.findUploadByFilename(filename);
-    if ((await mediaUpload.user).username !== username) {
+    const mediaUploadOwner = await mediaUpload.user;
+    const mediaUploadNote = await mediaUpload.note;
+    const mediaUploadNoteOwner = await mediaUploadNote?.owner;
+    if (
+      mediaUploadOwner?.id === user.id ||
+      user.id === mediaUploadNoteOwner?.id
+    ) {
+      this.logger.debug(
+        `Deleting '${filename}' for user '${user.username}'`,
+        'deleteMedia',
+      );
+      await this.mediaService.deleteFile(mediaUpload);
+    } else {
      this.logger.warn(
-        `${username} tried to delete '${filename}', but is not the owner`,
+        `${user.username} tried to delete '${filename}', but is not the owner of upload or connected note`,
        'deleteMedia',
      );
      throw new PermissionError(
-        `File '${filename}' is not owned by '${username}'`,
+        `Neither file '${filename}' nor note '${
+          mediaUploadNote?.id ?? 'unknown'
+        }'is not owned by '${user.username}'`,
      );
    }
-    await this.mediaService.deleteFile(mediaUpload);
  }
 }
--- a/backend/src/api/public/media/media.controller.ts
+++ b/backend/src/api/public/media/media.controller.ts
@ -4,6 +4,7 @@
 * SPDX-License-Identifier: AGPL-3.0-only
 */
 import {
+  BadRequestException,
  Controller,
  Delete,
  Param,
@ -28,10 +29,12 @@ import { MediaUploadDto } from '../../../media/media-upload.dto';
 import { MediaService } from '../../../media/media.service';
 import { MulterFile } from '../../../media/multer-file.interface';
 import { Note } from '../../../notes/note.entity';
-import { NotesService } from '../../../notes/notes.service';
+import { Permission } from '../../../permissions/permissions.enum';
 import { User } from '../../../users/user.entity';
 import { NoteHeaderInterceptor } from '../../utils/note-header.interceptor';
 import { OpenApi } from '../../utils/openapi.decorator';
+import { Permissions } from '../../utils/permissions.decorator';
+import { PermissionsGuard } from '../../utils/permissions.guard';
 import { RequestNote } from '../../utils/request-note.decorator';
 import { RequestUser } from '../../utils/request-user.decorator';

@ -44,7 +47,6 @@ export class MediaController {
  constructor(
    private readonly logger: ConsoleLoggerService,
    private mediaService: MediaService,
-    private noteService: NotesService,
  ) {
    this.logger.setContext(MediaController.name);
  }
@ -77,17 +79,29 @@ export class MediaController {
    404,
    500,
  )
+  @UseGuards(PermissionsGuard)
  @UseInterceptors(FileInterceptor('file'))
  @UseInterceptors(NoteHeaderInterceptor)
+  @Permissions(Permission.WRITE)
  async uploadMedia(
    @RequestUser() user: User,
    @UploadedFile() file: MulterFile,
    @RequestNote() note: Note,
  ): Promise<MediaUploadDto> {
-    this.logger.debug(
-      `Recieved filename '${file.originalname}' for note '${note.id}' from user '${user.username}'`,
-      'uploadMedia',
-    );
+    if (file === undefined) {
+      throw new BadRequestException('Request does not contain a file');
+    }
+    if (user) {
+      this.logger.debug(
+        `Received filename '${file.originalname}' for note '${note.publicId}' from user '${user.username}'`,
+        'uploadMedia',
+      );
+    } else {
+      this.logger.debug(
+        `Received filename '${file.originalname}' for note '${note.publicId}' from not logged in user`,
+        'uploadMedia',
+      );
+    }
    const upload = await this.mediaService.saveFile(file.buffer, user, note);
    return await this.mediaService.toMediaUploadDto(upload);
  }
@ -98,21 +112,29 @@ export class MediaController {
    @RequestUser() user: User,
    @Param('filename') filename: string,
  ): Promise<void> {
-    const username = user.username;
-    this.logger.debug(
-      `Deleting '${filename}' for user '${username}'`,
-      'deleteMedia',
-    );
    const mediaUpload = await this.mediaService.findUploadByFilename(filename);
-    if ((await mediaUpload.user).username !== username) {
+    const mediaUploadOwner = await mediaUpload.user;
+    const mediaUploadNote = await mediaUpload.note;
+    const mediaUploadNoteOwner = await mediaUploadNote?.owner;
+    if (
+      mediaUploadOwner?.id === user.id ||
+      user.id === mediaUploadNoteOwner?.id
+    ) {
+      this.logger.debug(
+        `Deleting '${filename}' for user '${user.username}'`,
+        'deleteMedia',
+      );
+      await this.mediaService.deleteFile(mediaUpload);
+    } else {
      this.logger.warn(
-        `${username} tried to delete '${filename}', but is not the owner`,
+        `${user.username} tried to delete '${filename}', but is not the owner of upload or connected note`,
        'deleteMedia',
      );
      throw new PermissionError(
-        `File '${filename}' is not owned by '${username}'`,
+        `Neither file '${filename}' nor note '${
+          mediaUploadNote?.id ?? 'unknown'
+        }'is not owned by '${user.username}'`,
      );
    }
-    await this.mediaService.deleteFile(mediaUpload);
  }
 }
--- a/backend/src/api/utils/permissions.guard.ts
+++ b/backend/src/api/utils/permissions.guard.ts
@ -16,6 +16,8 @@ import { CompleteRequest } from './request.type';
 /**
 * This guards controller methods from access, if the user has not the appropriate permissions.
 * The permissions are set via the {@link Permissions} decorator in addition to this guard.
+ * If the check permission is not CREATE the method needs to extract the noteIdOrAlias from
+ * request.params['noteIdOrAlias'] or request.headers['hedgedoc-note'] to check if the user has the permission.
 */
@Injectable()
 export class PermissionsGuard implements CanActivate {
@ -46,9 +48,11 @@ export class PermissionsGuard implements CanActivate {
    if (permissions[0] === Permission.CREATE) {
      return this.permissionsService.mayCreate(user);
    }
-    // Get the note from the parameter noteIdOrAlias
-    // Attention: This gets the note an additional time if used in conjunction with GetNoteInterceptor
-    const noteIdOrAlias = request.params['noteIdOrAlias'];
+    // Get the note from the parameter noteIdOrAlias or the http header hedgedoc-note
+    // Attention: This gets the note an additional time if used in conjunction with GetNoteInterceptor or NoteHeaderInterceptor
+    let noteIdOrAlias = request.params['noteIdOrAlias'];
+    if (noteIdOrAlias === undefined)
+      noteIdOrAlias = request.headers['hedgedoc-note'] as string;
    const note = await getNote(this.noteService, noteIdOrAlias);
    switch (permissions[0]) {
      case Permission.READ: