From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Thu, 21 Jun 2012 09:50:51 +0000 (+0200)
Subject: check if user is allowed to edit bookmarks
X-Git-Tag: v4.0.3~23
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=3b4d2a971ac254432cf78570a8442654cdad09c0;p=nextcloud-server.git

check if user is allowed to edit bookmarks
---

diff --git a/apps/bookmarks/ajax/editBookmark.php b/apps/bookmarks/ajax/editBookmark.php
index fcec2e1cedb..439b680dc20 100644
--- a/apps/bookmarks/ajax/editBookmark.php
+++ b/apps/bookmarks/ajax/editBookmark.php
@@ -40,18 +40,26 @@ if( $CONFIG_DBTYPE == 'sqlite' or $CONFIG_DBTYPE == 'sqlite3' ){
 }
 
 $bookmark_id = (int)$_POST["id"];
+$user_id = OCP\USER::getUser();
 
 $query = OCP\DB::prepare("
 	UPDATE *PREFIX*bookmarks
 	SET url = ?, title =?, lastmodified = $_ut
-	WHERE id = $bookmark_id
+	WHERE id = ?
+	AND user_id = ?
 	");
 
 $params=array(
 	htmlspecialchars_decode($_POST["url"]),
 	htmlspecialchars_decode($_POST["title"]),
+	$bookmark_id,
+	$user_id,
 	);
-$query->execute($params);
+
+$result = $query->execute($params);
+
+# Abort the operation if bookmark couldn't be set (probably because the user is not allowed to edit this bookmark)
+if ($result->numRows() == 0) exit();
 
 # Remove old tags and insert new ones.
 $query = OCP\DB::prepare("
@@ -66,7 +74,7 @@ $query = OCP\DB::prepare("
 	(bookmark_id, tag)
 	VALUES (?, ?)
 	");
-	
+
 $tags = explode(' ', urldecode($_POST["tags"]));
 foreach ($tags as $tag) {
 	if(empty($tag)) {