fix(dbfs): enforce root protection for single file share

pkg/filemanager/manager/archive.go

@@ -27,7 +27,7 @@ func (m *manager) CreateArchive(ctx context.Context, uris []*fs.URI, writer io.W
 	// List all top level files
 	files := make([]fs.File, 0, len(uris))
 	for _, uri := range uris {
-		file, err := m.Get(ctx, uri, dbfs.WithFileEntities(), dbfs.WithRequiredCapabilities(dbfs.NavigatorCapabilityDownloadFile))
+		file, err := m.Get(ctx, uri, dbfs.WithFileEntities(), dbfs.WithRequiredCapabilities(dbfs.NavigatorCapabilityDownloadFile), dbfs.WithNotRoot())
 		if err != nil {
 			return 0, fmt.Errorf("failed to get file %s: %w", uri, err)
 		}

pkg/filemanager/manager/operation.go

@@ -227,7 +227,7 @@ func (l *manager) Restore(ctx context.Context, path ...*fs.URI) error {
 }
 
 func (l *manager) CreateOrUpdateShare(ctx context.Context, path *fs.URI, args *CreateShareArgs) (*ent.Share, error) {
-	file, err := l.fs.Get(ctx, path, dbfs.WithRequiredCapabilities(dbfs.NavigatorCapabilityShare))
+	file, err := l.fs.Get(ctx, path, dbfs.WithRequiredCapabilities(dbfs.NavigatorCapabilityShare), dbfs.WithNotRoot())
 	if err != nil {
 		return nil, serializer.NewError(serializer.CodeNotFound, "src file not found", err)
 	}

pkg/filemanager/manager/viewer.go

@@ -45,7 +45,7 @@ func init() {
 }
 
 func (m *manager) CreateViewerSession(ctx context.Context, uri *fs.URI, version string, viewer *setting.Viewer) (*ViewerSession, error) {
-	file, err := m.fs.Get(ctx, uri, dbfs.WithFileEntities())
+	file, err := m.fs.Get(ctx, uri, dbfs.WithFileEntities(), dbfs.WithNotRoot())
 	if err != nil {
 		return nil, err
 	}