Fixed router bug on redirection of share path

mod/agi/agi.share.go

@@ -41,7 +41,7 @@ func (g *Gateway) injectShareFunctions(vm *otto.Otto, u *user.User) {
 		if timeout > 0 {
 			go func(timeout int) {
 				time.Sleep(time.Duration(timeout) * time.Second)
-				g.Option.ShareManager.RemoveShareByUUID(shareID.UUID)
+				g.Option.ShareManager.RemoveShareByUUID(u, shareID.UUID)
 				log.Println("[AGI] Share auto-removed: " + shareID.UUID)
 			}(int(timeout))
 		}
@@ -55,7 +55,7 @@ func (g *Gateway) injectShareFunctions(vm *otto.Otto, u *user.User) {
 		if err != nil {
 			return otto.New().MakeCustomError("Failed to remove share", "No share UUID given")
 		}
-		err = g.Option.ShareManager.RemoveShareByUUID(shareUUID)
+		err = g.Option.ShareManager.RemoveShareByUUID(u, shareUUID)
 		if err != nil {
 			log.Println("[AGI] Share remove failed: " + err.Error())
 			return otto.New().MakeCustomError("Failed to remove share", err.Error())

mod/share/share.go

@@ -9,6 +9,7 @@ package share
 
 import (
 	"encoding/json"
+	"errors"
 	"fmt"
 	"image"
 	"image/color"
@@ -353,7 +354,7 @@ func (s *Manager) HandleShareAccess(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(http.StatusUnauthorized)
 					w.Write([]byte("401 - Unauthorized"))
 				} else {
-					http.Redirect(w, r, common.ConstructRelativePathFromRequestURL(r.RequestURI, "login.system")+"?redirect=/share/preview/?id="+id, 307)
+					http.Redirect(w, r, common.ConstructRelativePathFromRequestURL(r.RequestURI, "login.system")+"?redirect=/share/"+id, 307)
 				}
 				return
 			} else {
@@ -366,7 +367,7 @@ func (s *Manager) HandleShareAccess(w http.ResponseWriter, r *http.Request) {
 					w.WriteHeader(http.StatusUnauthorized)
 					w.Write([]byte("401 - Unauthorized"))
 				} else {
-					http.Redirect(w, r, common.ConstructRelativePathFromRequestURL(r.RequestURI, "login.system")+"?redirect=/share/preview/?id="+id, 307)
+					http.Redirect(w, r, common.ConstructRelativePathFromRequestURL(r.RequestURI, "login.system")+"?redirect=/share/"+id, 307)
 				}
 				return
 			}
@@ -906,9 +907,8 @@ func (s *Manager) HandleEditShare(w http.ResponseWriter, r *http.Request) {
 	}
 
 	//Check if the user has permission to edit this share
-	if so.Owner != userinfo.Username && !userinfo.IsAdmin() {
-		//This file is not shared by this user and this user is not admin. Block this request
-		sendErrorResponse(w, "Permission denied")
+	if !s.CanModifyShareEntry(userinfo, so.FileVirtualPath) {
+		common.SendErrorResponse(w, "Permission Denied")
 		return
 	}
 
@@ -1138,8 +1138,30 @@ func (s *Manager) ValidateAndClearShares() {
 
 }
 
+//Check if the user has the permission to modify this share entry
+func (s *Manager) CanModifyShareEntry(userinfo *user.User, vpath string) bool {
+	shareEntry := s.GetShareObjectFromUserAndVpath(userinfo, vpath)
+	if shareEntry == nil {
+		//Share entry not found
+		return false
+	}
+
+	//Check if the user is the share owner or the user is admin
+	if userinfo.IsAdmin() {
+		return true
+	} else if userinfo.Username == shareEntry.Owner {
+		return true
+	}
+
+	return false
+}
+
 func (s *Manager) DeleteShare(userinfo *user.User, vpath string) error {
 	ps := getPathHashFromUsernameAndVpath(userinfo, vpath)
+
+	if !s.CanModifyShareEntry(userinfo, vpath) {
+		return errors.New("Permission denied")
+	}
 	return s.options.ShareEntryTable.DeleteShareByPathHash(ps)
 }
 
@@ -1162,7 +1184,14 @@ func (s *Manager) FileIsShared(userinfo *user.User, vpath string) bool {
 	return s.options.ShareEntryTable.FileIsShared(ps)
 }
 
-func (s *Manager) RemoveShareByUUID(uuid string) error {
+func (s *Manager) RemoveShareByUUID(userinfo *user.User, uuid string) error {
+	shareObject := s.GetShareObjectFromUUID(uuid)
+	if shareObject == nil {
+		return errors.New("Share entry not found")
+	}
+	if !s.CanModifyShareEntry(userinfo, shareObject.FileVirtualPath) {
+		return errors.New("Permission denied")
+	}
 	return s.options.ShareEntryTable.RemoveShareByUUID(uuid)
 }