Handle permission in update of share better

Signed-off-by: Roeland Jago Douma <roeland@famdouma.nl>

diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index 308e7bbb7429a4d4d24160745c07130aee791ea2..1354c90a9f6841bac1b3bfc373af1c0f5360f57c 100644 (file)
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -773,6 +773,10 @@ class ShareAPIController extends OCSController {
                        throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist'));
                }
 
+               if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) {
+                       throw new OCSForbiddenException('You are not allowed to edit incomming shares');
+               }
+
                if ($permissions === null && $password === null && $sendPasswordByTalk === null && $publicUpload === null && $expireDate === null && $note === null) {
                        throw new OCSBadRequestException($this->l->t('Wrong or no update parameter given'));
                }