]> source.dussan.org Git - nextcloud-server.git/commitdiff
projects / nextcloud-server.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 66dc4c9)
Correctly check share permissions when updating a re-sub-share
authorJoas Schilling <coding@schilljs.com>
Fri, 21 Jun 2019 07:22:06 +0000 (09:22 +0200)
committerBackportbot <backportbot-noreply@rullzer.com>
Thu, 27 Jun 2019 14:30:53 +0000 (14:30 +0000)
Before this change the node you shared was checked for permissions.
This works when you reshare the folder that was shared with you.
However when you reshared a subfolder (e.g. as public link),
you could afterwards update the permissions and grant
create+update permissions although the share you receive was read-only.

Signed-off-by: Joas Schilling <coding@schilljs.com>
apps/files_sharing/lib/Controller/ShareAPIController.php patch | blob | history

diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index a6ad70a7f4bf2dc37e1d117fc9a78ac37a824ad7..66e39bb0715ae876e2aba3360c95d54284e31b07 100644 (file)
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -975,10 +975,20 @@ class ShareAPIController extends OCSController {
                }
 
                if ($permissions !== null && $share->getShareOwner() !== $this->currentUser) {
+
+                       // Get the root mount point for the user and check the share permissions there
+                       $userFolder = $this->rootFolder->getUserFolder($this->currentUser);
+                       $userNodes = $userFolder->getById($share->getNodeId());
+                       $userNode = array_shift($userNodes);
+
+                       $userMountPointId = $userNode->getMountPoint()->getStorageRootId();
+                       $userMountPoints = $userFolder->getById($userMountPointId);
+                       $userMountPoint = array_shift($userMountPoints);
+
                        /* Check if this is an incoming share */
-                       $incomingShares = $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_USER, $share->getNode(), -1, 0);
-                       $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_GROUP, $share->getNode(), -1, 0));
-                       $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_ROOM, $share->getNode(), -1, 0));
+                       $incomingShares = $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_USER, $userMountPoint, -1, 0);
+                       $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_GROUP, $userMountPoint, -1, 0));
+                       $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_ROOM, $userMountPoint, -1, 0));
 
                        /** @var \OCP\Share\IShare[] $incomingShares */
                        if (!empty($incomingShares)) {
Nextcloud server, a safe home for all your data: https://github.com/nextcloud/server