fix: Prevent download of view-only files (one more case)

Signed-off-by: Kostiantyn Miakshyn <molodchick@gmail.com>

Author: Koc

apps/files/lib/Controller/ConversionApiController.php

@@ -21,7 +21,9 @@
 use OCP\AppFramework\OCS\OCSForbiddenException;
 use OCP\AppFramework\OCS\OCSNotFoundException;
 use OCP\AppFramework\OCSController;
+use OCP\EventDispatcher\IEventDispatcher;
 use OCP\Files\Conversion\IConversionManager;
+use OCP\Files\Events\BeforeDirectFileDownloadEvent;
 use OCP\Files\File;
 use OCP\Files\GenericFileException;
 use OCP\Files\IRootFolder;
@@ -37,6 +39,7 @@ public function __construct(
 		private IRootFolder $rootFolder,
 		private IL10N $l10n,
 		private ?string $userId,
+		private IEventDispatcher $eventDispatcher,
 	) {
 		parent::__construct($appName, $request);
 	}
@@ -67,6 +70,13 @@ public function convert(int $fileId, string $targetMimeType, ?string $destinatio
 			throw new OCSNotFoundException($this->l10n->t('The file cannot be found'));
 		}
 
+		$event = new BeforeDirectFileDownloadEvent($userFolder->getRelativePath($file->getPath()));
+		$this->eventDispatcher->dispatchTyped($event);
+
+		if ($event->isSuccessful() === false) {
+			throw new OCSForbiddenException('Permission denied to download file');
+		}
+
 		if ($destination !== null) {
 			$destination = PathHelper::normalizePath($destination);
 			$parentDir = dirname($destination);