check share permissions in share controller

diff --git a/apps/files_sharing/lib/controllers/sharecontroller.php b/apps/files_sharing/lib/controllers/sharecontroller.php
index dae61a3537bda2c08dd0271f16fb648eea004983..08679c88bb1bf183417c52c82b23b2b0ca57338d 100644 (file)
--- a/apps/files_sharing/lib/controllers/sharecontroller.php
+++ b/apps/files_sharing/lib/controllers/sharecontroller.php
@@ -227,6 +227,16 @@ class ShareController extends Controller {
                }
        }
 
+       /**
+        * Validate the permissions of the share
+        *
+        * @param Share\IShare $share
+        * @return bool
+        */
+       private function validateShare(\OCP\Share\IShare $share) {
+               return $share->getNode()->isReadable() && $share->getNode()->isShareable();
+       }
+
        /**
         * @PublicPage
         * @NoCSRFRequired
@@ -253,6 +263,9 @@ class ShareController extends Controller {
                                array('token' => $token)));
                }
 
+               if (!$this->validateShare($share)) {
+                       throw new NotFoundException();
+               }
                // We can't get the path of a file share
                try {
                        if ($share->getNode() instanceof \OCP\Files\File && $path !== '') {
@@ -371,6 +384,10 @@ class ShareController extends Controller {
                $userFolder = $this->rootFolder->getUserFolder($share->getShareOwner());
                $originalSharePath = $userFolder->getRelativePath($share->getNode()->getPath());
 
+               if (!$this->validateShare($share)) {
+                       throw new NotFoundException();
+               }
+
                // Single file share
                if ($share->getNode() instanceof \OCP\Files\File) {
                        // Single file download