From 293e70a6d4d0c8009880c782244b05bc09483bf2 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Thomas=20M=C3=BCller?= <thomas.mueller@tmit.eu>
Date: Tue, 24 Sep 2013 13:26:12 +0200
Subject: [PATCH] adding privilege check on move and rename operations

Conflicts:
	lib/connector/sabre/objecttree.php
---
 lib/connector/sabre/node.php | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/lib/connector/sabre/node.php b/lib/connector/sabre/node.php
index 1ffa048d6b2..f6a1c56edb8 100644
--- a/lib/connector/sabre/node.php
+++ b/lib/connector/sabre/node.php
@@ -78,6 +78,11 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 */
 	public function setName($name) {
 
+		// rename is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		list($parentPath, ) = Sabre_DAV_URLUtil::splitPath($this->path);
 		list(, $newName) = Sabre_DAV_URLUtil::splitPath($name);
 
@@ -135,6 +140,12 @@ abstract class OC_Connector_Sabre_Node implements Sabre_DAV_INode, Sabre_DAV_IPr
 	 *  Even if the modification time is set to a custom value the access time is set to now.
 	 */
 	public function touch($mtime) {
+
+		// touch is only allowed if the update privilege is granted
+		if (!\OC\Files\Filesystem::isUpdatable($this->path)) {
+			throw new \Sabre_DAV_Exception_Forbidden();
+		}
+
 		\OC\Files\Filesystem::touch($this->path, $mtime);
 	}
 
-- 
2.39.5