fix(backend:spaces): apply MODIFY permission for PUT requests on existing files instead of ADD when the resource exists

johaven · johaven · commit e73ae93251e0 · 2025-12-30T00:03:02.000+01:00
diff --git a/backend/src/applications/files/files.controller.ts b/backend/src/applications/files/files.controller.ts
@@ -170,10 +170,10 @@ export class FilesController {
 
   @Post(`${FILES_ROUTE.TASK_OPERATION}/${FILE_OPERATION.COMPRESS}/*`)
   @SkipSpacePermissionsCheck()
-  // Compression could be used to download files, permission is checked later
+  // Can be used to create or download an archive of files; permissions are checked later
   async compressAsTask(@Req() req: FastifySpaceRequest, @Body() compressFileDto: CompressFileDto): Promise<FileTask> {
     if (compressFileDto.compressInDirectory) {
-      SpaceGuard.checkPermissions(req, this.logger)
+      await SpaceGuard.checkPermissions(req, this.logger)
     }
     return this.filesTasksManager.createTask(FILE_OPERATION.COMPRESS, req.user, req.space, compressFileDto, this.filesMethods.compress.name)
   }
diff --git a/backend/src/applications/spaces/constants/spaces.ts b/backend/src/applications/spaces/constants/spaces.ts
@@ -36,7 +36,7 @@ export enum SPACE_ROLE {
 
 export const SPACE_ALL_OPERATIONS: string = Object.values(SPACE_OPERATION).sort().join(SPACE_PERMS_SEP)
 
-export const SPACE_HTTP_PERMISSION = {
+export const SPACE_HTTP_PERMISSION: Record<string, SPACE_OPERATION> = {
   GET: null,
   POST: SPACE_OPERATION.ADD,
   PUT: SPACE_OPERATION.ADD,
@@ -54,13 +54,13 @@ export const SPACE_PERSONAL = {
   id: 0,
   alias: SPACE_ALIAS.PERSONAL,
   name: SPACE_ALIAS.PERSONAL,
-  permissions: '' // by default no rights are given on the space unless a resource is targeted
+  permissions: '' // by default, no rights are given on the space unless a resource is targeted
 } as const
 
 export const SPACE_SHARES = {
   // this space lists the shares
   id: 0,
   alias: SPACE_REPOSITORY.SHARES,
   name: SPACE_REPOSITORY.SHARES,
-  permissions: '' // by default no rights are given on the share unless a resource is targeted
+  permissions: '' // by default, no rights are given on the share unless a resource is targeted
 } as const
diff --git a/backend/src/applications/spaces/guards/space.guard.ts b/backend/src/applications/spaces/guards/space.guard.ts
@@ -6,8 +6,10 @@
 
 import { CanActivate, ExecutionContext, HttpException, HttpStatus, Injectable, Logger } from '@nestjs/common'
 import { Reflector } from '@nestjs/core'
+import { HTTP_METHOD } from '../../applications.constants'
 import { COLLABORA_CONTEXT } from '../../files/modules/collabora-online/collabora-online.constants'
 import { COLLABORA_ONLINE_TO_SPACE_SEGMENTS } from '../../files/modules/collabora-online/collabora-online.utils'
+import { isPathExists, isPathIsDir } from '../../files/utils/files'
 import { SYNC_CONTEXT } from '../../sync/decorators/sync-context.decorator'
 import { SYNC_PATH_TO_SPACE_SEGMENTS } from '../../sync/utils/routes'
 import { WEB_DAV_CONTEXT } from '../../webdav/decorators/webdav-context.decorator'
@@ -31,8 +33,16 @@ export class SpaceGuard implements CanActivate {
     private readonly spacesManager: SpacesManager
   ) {}
 
-  static checkPermissions(req: FastifySpaceRequest, logger: Logger, overrideSpacePermission?: SPACE_OPERATION) {
-    const permission = overrideSpacePermission || SPACE_HTTP_PERMISSION[req.method]
+  static async checkPermissions(req: FastifySpaceRequest, logger: Logger, overrideSpacePermission?: SPACE_OPERATION) {
+    let permission: SPACE_OPERATION
+    if (req.method === HTTP_METHOD.PUT && (await isPathExists(req.space.realPath)) && !(await isPathIsDir(req.space.realPath))) {
+      // PUT method may either create a new resource or replace an existing one.
+      // Therefore, we must check whether the target resource already exists to apply the appropriate permission rules.
+      permission = SPACE_OPERATION.MODIFY
+    } else {
+      // The override is applied for specific POST methods that update an existing file rather than creating it.
+      permission = overrideSpacePermission || SPACE_HTTP_PERMISSION[req.method]
+    }
     if (!haveSpaceEnvPermissions(req.space, permission)) {
       logger.warn(`is not allowed to ${req.method} on this space path : *${req.space.alias}* (${req.space.id}) : ${req.space.url}`)
       throw new HttpException('You are not allowed to do this action', HttpStatus.FORBIDDEN)
@@ -81,7 +91,7 @@ export class SpaceGuard implements CanActivate {
     const skipSpacePermissionsCheck = this.reflector.getAllAndOverride(SKIP_SPACE_PERMISSIONS_CHECK, [ctx.getHandler(), ctx.getClass()])
     if (skipSpacePermissionsCheck === undefined) {
       const overrideSpacePermission: SPACE_OPERATION = this.reflector.getAllAndOverride(OverrideSpacePermission, [ctx.getHandler(), ctx.getClass()])
-      SpaceGuard.checkPermissions(req, this.logger, overrideSpacePermission)
+      await SpaceGuard.checkPermissions(req, this.logger, overrideSpacePermission)
     }
     return true
   }

Original file line number	Diff line number	Diff line change
`@@ -170,10 +170,10 @@ export class FilesController {`
`170`	`170`
`171`	`171`	@Post(`${FILES_ROUTE.TASK_OPERATION}/${FILE_OPERATION.COMPRESS}/*`)
`172`	`172`	`@SkipSpacePermissionsCheck()`
`173`		`- // Compression could be used to download files, permission is checked later`
	`173`	`+ // Can be used to create or download an archive of files; permissions are checked later`
`174`	`174`	`async compressAsTask(@Req() req: FastifySpaceRequest, @Body() compressFileDto: CompressFileDto): Promise<FileTask> {`
`175`	`175`	`if (compressFileDto.compressInDirectory) {`
`176`		`- SpaceGuard.checkPermissions(req, this.logger)`
	`176`	`+ await SpaceGuard.checkPermissions(req, this.logger)`
`177`	`177`	`}`
`178`	`178`	`return this.filesTasksManager.createTask(FILE_OPERATION.COMPRESS, req.user, req.space, compressFileDto, this.filesMethods.compress.name)`
`179`	`179`	`}`