From 9cfb438ff7fd24ef5c81c4f2e075789d320016e2 Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Thu, 17 Oct 2013 10:46:55 +0200
Subject: [PATCH] Fixed upload permissions distinction between public and
 logged in upload

Fixes #5370
---
 apps/files/ajax/upload.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 2c1be428e84..38c2a053a9e 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -7,6 +7,8 @@ OCP\JSON::setContentTypeHeader('text/plain');
 // If not, check the login.
 // If no token is sent along, rely on login only
 
+$allowedPermissions = OCP\PERMISSION_ALL;
+
 $l = OC_L10N::get('files');
 if (empty($_POST['dirToken'])) {
 	// The standard case, files are uploaded through logged in users :)
@@ -17,6 +19,9 @@ if (empty($_POST['dirToken'])) {
 		die();
 	}
 } else {
+	// return only read permissions for public upload
+	$allowedPermissions = OCP\PERMISSION_READ;
+
 	$linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
 	if ($linkItem === false) {
 		OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
@@ -130,7 +135,7 @@ if (strpos($dir, '..') === false) {
 							'originalname' => $files['tmp_name'][$i],
 							'uploadMaxFilesize' => $maxUploadFileSize,
 							'maxHumanFilesize' => $maxHumanFileSize,
-							'permissions' => $meta['permissions'] & OCP\PERMISSION_READ
+							'permissions' => $meta['permissions'] & $allowedPermissions
 						);
 					}
 
@@ -156,7 +161,7 @@ if (strpos($dir, '..') === false) {
 					'originalname' => $files['tmp_name'][$i],
 					'uploadMaxFilesize' => $maxUploadFileSize,
 					'maxHumanFilesize' => $maxHumanFileSize,
-					'permissions' => $meta['permissions'] & OCP\PERMISSION_READ
+					'permissions' => $meta['permissions'] & $allowedPermissions
 				);
 			}
 		}
-- 
2.39.5