From 5dda9c08c7b2d27eb20d1dcdc1b5ebcdaecd8668 Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Thu, 17 Oct 2013 10:46:55 +0200
Subject: [PATCH] Fixed upload permissions distinction between public and
 logged in upload

Backport of 9cfb438ff7fd24ef5c81c4f2e075789d320016e2
---
 apps/files/ajax/upload.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 6eaa84f07e2..a81b8edb130 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -7,6 +7,8 @@ OCP\JSON::setContentTypeHeader('text/plain');
 // If not, check the login.
 // If no token is sent along, rely on login only
 
+$allowedPermissions = OCP\PERMISSION_ALL;
+
 $l = OC_L10N::get('files');
 if (empty($_POST['dirToken'])) {
 	// The standard case, files are uploaded through logged in users :)
@@ -17,6 +19,9 @@ if (empty($_POST['dirToken'])) {
 		die();
 	}
 } else {
+	// return only read permissions for public upload
+	$allowedPermissions = OCP\PERMISSION_READ;
+
 	$linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
 	if ($linkItem === false) {
 		OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
@@ -117,7 +122,7 @@ if (strpos($dir, '..') === false) {
 					'originalname' => $files['name'][$i],
 					'uploadMaxFilesize' => $maxUploadFileSize,
 					'maxHumanFilesize' => $maxHumanFileSize,
-					'permissions' => $meta['permissions'],
+					'permissions' => $meta['permissions'] & $allowedPermissions
 				);
 			}
 		}
-- 
2.39.5