adding privilege check on move and rename operations

diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 0bffa58af78b9efe3a3688c0afb749054b34a1e3..29b7f9e53a5ba8d569e6ce0762e28e47360ca6e6 100644 (file)
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
         */
        public function setName($name) {
 
+               // rename is only allowed if the update privilege is granted
+               if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
+
                list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
                list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
         *  Even if the modification time is set to a custom value the access time is set to now.
         */
        public function touch($mtime) {
+
+               // touch is only allowed if the update privilege is granted
+               if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+                       throw new \Sabre_DAV_Exception_Forbidden();
+               }
+
                \OC\Files\Filesystem::touch($this->path, $mtime);
        }
 

diff --git a/lib/connector/sabre/objecttree.php b/lib/connector/sabre/objecttree.php
index acff45ed5e2c0daa814843f78a5669445bb012c9..7accf98c8e1c5b9368bb54568fd6cef63470486c 100644 (file)
--- a/lib/connector/sabre/objecttree.php
+++ b/lib/connector/sabre/objecttree.php
@@ -64,7 +64,29 @@ class ObjectTree extends \Sabre_DAV_ObjectTree {
                list($sourceDir,) = \Sabre_DAV_URLUtil::splitPath($sourcePath);
                list($destinationDir,) = \Sabre_DAV_URLUtil::splitPath($destinationPath);
 
-               Filesystem::rename($sourcePath, $destinationPath);
+               // check update privileges
+               if ($sourceDir === $destinationDir) {
+                       // for renaming it's enough to check if the sourcePath can be updated
+                       if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
+                               throw new \Sabre_DAV_Exception_Forbidden();
+                       }
+               } else {
+                       // for a full move we need update privileges on sourcePath and sourceDir as well as destinationDir
+                       if (!\OC\Files\Filesystem::isUpdatable($sourcePath)) {
+                               throw new \Sabre_DAV_Exception_Forbidden();
+                       }
+                       if (!\OC\Files\Filesystem::isUpdatable($sourceDir)) {
+                               throw new \Sabre_DAV_Exception_Forbidden();
+                       }
+                       if (!\OC\Files\Filesystem::isUpdatable($destinationDir)) {
+                               throw new \Sabre_DAV_Exception_Forbidden();
+                       }
+               }
+
+               $renameOkay = Filesystem::rename($sourcePath, $destinationPath);
+               if (!$renameOkay) {
+                       throw new \Sabre_DAV_Exception_Forbidden('');
+               }
 
                $this->markDirty($sourceDir);
                $this->markDirty($destinationDir);