From 8fa3e7a6bf42fc907a5e98f01104220b35fee48f Mon Sep 17 00:00:00 2001
From: Vincent Petry <pvince81@owncloud.com>
Date: Mon, 19 Jan 2015 14:39:00 +0100
Subject: [PATCH] Do not retrieve shares through group if user has no group

---
 lib/private/share/share.php | 38 +++++++++++++++++++------------------
 tests/lib/share/share.php   | 27 +++++++++++++++++++++++++-
 2 files changed, 46 insertions(+), 19 deletions(-)

diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index e5f350a24fb..c9f9654203e 100644
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -337,27 +337,29 @@ class Share extends \OC\Share\Constants {
 		if(empty($shares) && $user !== null) {
 			$groups = \OC_Group::getUserGroups($user);
 
-			$where = 'WHERE `' . $column . '` = ? AND `item_type` = ? AND `share_with` in (?)';
-			$arguments = array($itemSource, $itemType, $groups);
-			$types = array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY);
+			if (!empty($groups)) {
+				$where = 'WHERE `' . $column . '` = ? AND `item_type` = ? AND `share_with` in (?)';
+				$arguments = array($itemSource, $itemType, $groups);
+				$types = array(null, null, \Doctrine\DBAL\Connection::PARAM_STR_ARRAY);
 
-			if ($owner !== null) {
-				$where .= ' AND `uid_owner` = ?';
-				$arguments[] = $owner;
-				$types[] = null;
-			}
+				if ($owner !== null) {
+					$where .= ' AND `uid_owner` = ?';
+					$arguments[] = $owner;
+					$types[] = null;
+				}
 
-			// TODO: inject connection, hopefully one day in the future when this
-			// class isn't static anymore...
-			$conn = \OC_DB::getConnection();
-			$result = $conn->executeQuery(
-				'SELECT * FROM `*PREFIX*share` ' . $where,
-				$arguments,
-				$types
-			);
+				// TODO: inject connection, hopefully one day in the future when this
+				// class isn't static anymore...
+				$conn = \OC_DB::getConnection();
+				$result = $conn->executeQuery(
+					'SELECT * FROM `*PREFIX*share` ' . $where,
+					$arguments,
+					$types
+				);
 
-			while ($row = $result->fetch()) {
-				$shares[] = $row;
+				while ($row = $result->fetch()) {
+					$shares[] = $row;
+				}
 			}
 		}
 
diff --git a/tests/lib/share/share.php b/tests/lib/share/share.php
index 4b42036fc22..6a50dd1f962 100644
--- a/tests/lib/share/share.php
+++ b/tests/lib/share/share.php
@@ -27,6 +27,8 @@ class Test_Share extends \Test\TestCase {
 	protected $user2;
 	protected $user3;
 	protected $user4;
+	protected $user5;
+	protected $user6;
 	protected $groupAndUser;
 	protected $groupBackend;
 	protected $group1;
@@ -45,12 +47,14 @@ class Test_Share extends \Test\TestCase {
 		$this->user3 = $this->getUniqueID('user3_');
 		$this->user4 = $this->getUniqueID('user4_');
 		$this->user5 = $this->getUniqueID('user5_');
+		$this->user6 = $this->getUniqueID('user6_');
 		$this->groupAndUser = $this->getUniqueID('groupAndUser_');
 		OC_User::createUser($this->user1, 'pass');
 		OC_User::createUser($this->user2, 'pass');
 		OC_User::createUser($this->user3, 'pass');
 		OC_User::createUser($this->user4, 'pass');
 		OC_User::createUser($this->user5, 'pass');
+		OC_User::createUser($this->user6, 'pass'); // no group
 		OC_User::createUser($this->groupAndUser, 'pass');
 		OC_User::setUserId($this->user1);
 		OC_Group::clearBackends();
@@ -85,6 +89,18 @@ class Test_Share extends \Test\TestCase {
 		$query->execute(array('test'));
 		OC_Appconfig::setValue('core', 'shareapi_allow_resharing', $this->resharing);
 
+		OC_User::deleteUser($this->user1);
+		OC_User::deleteUser($this->user2);
+		OC_User::deleteUser($this->user3);
+		OC_User::deleteUser($this->user4);
+		OC_User::deleteUser($this->user5);
+		OC_User::deleteUser($this->user6);
+		OC_User::deleteUser($this->groupAndUser);
+
+		OC_Group::deleteGroup($this->group1);
+		OC_Group::deleteGroup($this->group2);
+		OC_Group::deleteGroup($this->groupAndUser);
+
 		parent::tearDown();
 	}
 
@@ -720,6 +736,8 @@ class Test_Share extends \Test\TestCase {
 		$query->execute($args);
 		$args = array('test', 99, 'target4', OCP\Share::SHARE_TYPE_USER, $this->user3, $this->user4);
 		$query->execute($args);
+		$args = array('test', 99, 'target4', OCP\Share::SHARE_TYPE_USER, $this->user6, $this->user4);
+		$query->execute($args);
 
 
 		$result1 = \OCP\Share::getItemSharedWithUser('test', 99, $this->user2, $this->user1);
@@ -735,8 +753,12 @@ class Test_Share extends \Test\TestCase {
 		$this->verifyResult($result3, array('target3', 'target4'));
 
 		$result4 = \OCP\Share::getItemSharedWithUser('test', 99, null, null);
-		$this->assertSame(4, count($result4));
+		$this->assertSame(5, count($result4)); // 5 because target4 appears twice
 		$this->verifyResult($result4, array('target1', 'target2', 'target3', 'target4'));
+
+		$result6 = \OCP\Share::getItemSharedWithUser('test', 99, $this->user6, null);
+		$this->assertSame(1, count($result6));
+		$this->verifyResult($result6, array('target4'));
 	}
 
 	public function testGetItemSharedWithUserFromGroupShare() {
@@ -772,6 +794,9 @@ class Test_Share extends \Test\TestCase {
 		$result4 = \OCP\Share::getItemSharedWithUser('test', 99, null, null);
 		$this->assertSame(4, count($result4));
 		$this->verifyResult($result4, array('target1', 'target2', 'target3', 'target4'));
+
+		$result6 = \OCP\Share::getItemSharedWithUser('test', 99, $this->user6, null);
+		$this->assertSame(0, count($result6));
 	}
 
 	public function verifyResult($result, $expected) {