diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2016-08-02 14:17:22 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-08-02 14:17:22 +0200 |
| commit | 17c302709462d52a7027f9e34520a3ef9d88e648 (patch) | |
| tree | 6139bec51ce86c4387108f6d478f779de53b5150 | |
| parent | ab3b90eff2531e9066c53c817489b7fdb60bc269 (diff) | |
| parent | 1088870eb1df3586371290afe96c06e6f63d3b47 (diff) | |
| download | nextcloud-server-17c302709462d52a7027f9e34520a3ef9d88e648.tar.gz nextcloud-server-17c302709462d52a7027f9e34520a3ef9d88e648.zip | |
Merge pull request #637 from nextcloud/h1-prevent-delete-update-on-group-shares
Do not allow to delete/update group shares as a group member
| -rw-r--r-- | apps/files_sharing/lib/API/Share20OCS.php | 8 | ||||
| -rw-r--r-- | build/integration/features/sharing-v1.feature | 16 |
2 files changed, 20 insertions, 4 deletions
diff --git a/apps/files_sharing/lib/API/Share20OCS.php b/apps/files_sharing/lib/API/Share20OCS.php index fd5e5ddc786..593e9d877c7 100644 --- a/apps/files_sharing/lib/API/Share20OCS.php +++ b/apps/files_sharing/lib/API/Share20OCS.php @@ -224,7 +224,7 @@ class Share20OCS { return new \OC_OCS_Result(null, 404, 'could not delete share'); } - if (!$this->canAccessShare($share)) { + if (!$this->canAccessShare($share, false)) { $share->getNode()->unlock(ILockingProvider::LOCK_SHARED); return new \OC_OCS_Result(null, 404, $this->l->t('Could not delete share')); } @@ -573,7 +573,7 @@ class Share20OCS { $share->getNode()->lock(\OCP\Lock\ILockingProvider::LOCK_SHARED); - if (!$this->canAccessShare($share)) { + if (!$this->canAccessShare($share, false)) { $share->getNode()->unlock(ILockingProvider::LOCK_SHARED); return new \OC_OCS_Result(null, 404, $this->l->t('Wrong share ID, share doesn\'t exist')); } @@ -703,7 +703,7 @@ class Share20OCS { * @param \OCP\Share\IShare $share * @return bool */ - protected function canAccessShare(\OCP\Share\IShare $share) { + protected function canAccessShare(\OCP\Share\IShare $share, $checkGroups = true) { // A file with permissions 0 can't be accessed by us. So Don't show it if ($share->getPermissions() === 0) { return false; @@ -722,7 +722,7 @@ class Share20OCS { return true; } - if ($share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { + if ($checkGroups && $share->getShareType() === \OCP\Share::SHARE_TYPE_GROUP) { $sharedWith = $this->groupManager->get($share->getSharedWith()); if ($sharedWith->inGroup($this->currentUser)) { return true; diff --git a/build/integration/features/sharing-v1.feature b/build/integration/features/sharing-v1.feature index 16d04e81330..94d12ce3e72 100644 --- a/build/integration/features/sharing-v1.feature +++ b/build/integration/features/sharing-v1.feature @@ -759,3 +759,19 @@ Feature: sharing | shareType | 0 | Then the OCS status code should be "997" And the HTTP status code should be "401" + + Scenario: Deleting a group share as user + Given As an "admin" + And user "user0" exists + And user "user1" exists + And group "group1" exists + And user "user1" belongs to group "group1" + And As an "user0" + And creating a share with + | path | welcome.txt | + | shareType | 1 | + | shareWith | group1 | + When As an "user1" + And Deleting last share + Then the OCS status code should be "404" + And the HTTP status code should be "200" |