Sabre: throw exceptions when delete/create/write operations are not permitted

diff --git a/lib/connector/sabre/directory.php b/lib/connector/sabre/directory.php
index 6ccb54b79abe564ba18d3694c8b87b04de4b1d1c..3d15a2a584d4acca517a9089e45f30902d2aeaac 100644 (file)
--- a/lib/connector/sabre/directory.php
+++ b/lib/connector/sabre/directory.php
@@ -45,9 +45,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
         *
         * @param string $name Name of the file
         * @param resource|string $data Initial payload
+        * @throws Sabre_DAV_Exception_Forbidden
         * @return null|string
         */
        public function createFile($name, $data = null) {
+
+               if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
+
                if (isset($_SERVER['HTTP_OC_CHUNKED'])) {
                        $info = OC_FileChunking::decodeName($name);
                        if (empty($info)) {
@@ -102,10 +108,15 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
         * Creates a new subdirectory
         *
         * @param string $name
+        * @throws Sabre_DAV_Exception_Forbidden
         * @return void
         */
        public function createDirectory($name) {
 
+               if (!\OC\Files\Filesystem::isCreatable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
+
                $newPath = $this->path . '/' . $name;
                if(!\OC\Files\Filesystem::mkdir($newPath)) {
                        throw new Sabre_DAV_Exception_Forbidden('Could not create directory '.$newPath);
@@ -203,9 +214,13 @@ class OC_Connector_Sabre_Directory extends OC_Connector_Sabre_Node implements Sa
         * Deletes all files in this directory, and then itself
         *
         * @return void
+        * @throws Sabre_DAV_Exception_Forbidden
         */
        public function delete() {
 
+               if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
                if ($this->path != "/Shared") {
                        foreach($this->getChildren() as $child) $child->delete();
                        \OC\Files\Filesystem::rmdir($this->path);

diff --git a/lib/connector/sabre/file.php b/lib/connector/sabre/file.php
index 91646312e901a6cdb77f4697908e876be8238e55..438d9871c228ef83851f87bf2497112b35528d46 100644 (file)
--- a/lib/connector/sabre/file.php
+++ b/lib/connector/sabre/file.php
@@ -41,24 +41,29 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
         * return an ETag, and just return null.
         *
         * @param resource $data
+        * @throws Sabre_DAV_Exception_Forbidden
         * @return string|null
         */
        public function put($data) {
 
+               if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
+
                // mark file as partial while uploading (ignored by the scanner)
                $partpath = $this->path . '.part';
 
                \OC\Files\Filesystem::file_put_contents($partpath, $data);
 
                //detect aborted upload
-               if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT' ) {
+               if (isset ($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'PUT') {
                        if (isset($_SERVER['CONTENT_LENGTH'])) {
                                $expected = $_SERVER['CONTENT_LENGTH'];
                                $actual = \OC\Files\Filesystem::filesize($partpath);
                                if ($actual != $expected) {
                                        \OC\Files\Filesystem::unlink($partpath);
                                        throw new Sabre_DAV_Exception_BadRequest(
-                                                       'expected filesize ' . $expected . ' got ' . $actual);
+                                               'expected filesize ' . $expected . ' got ' . $actual);
                                }
                        }
                }
@@ -69,7 +74,7 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
                //allow sync clients to send the mtime along in a header
                $mtime = OC_Request::hasModificationTime();
                if ($mtime !== false) {
-                       if(\OC\Files\Filesystem::touch($this->path, $mtime)) {
+                       if (\OC\Files\Filesystem::touch($this->path, $mtime)) {
                                header('X-OC-MTime: accepted');
                        }
                }
@@ -92,9 +97,13 @@ class OC_Connector_Sabre_File extends OC_Connector_Sabre_Node implements Sabre_D
         * Delete the current file
         *
         * @return void
+        * @throws Sabre_DAV_Exception_Forbidden
         */
        public function delete() {
 
+               if (!\OC\Files\Filesystem::isDeletable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
                \OC\Files\Filesystem::unlink($this->path);
 
        }