diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2018-11-21 08:57:55 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2018-11-21 08:57:55 +0100 |
| commit | bea70d4ad37bf1096b8f124fb162193af756576b (patch) | |
| tree | 7b4d1d97dc5f8c4c888300675fce875a1f33d01d | |
| parent | f627754965831344d4102c60e083ef88f3891bb3 (diff) | |
| parent | 7b2a7f695fd62897d20cc76b88fb60d034464ae3 (diff) | |
| download | nextcloud-server-bea70d4ad37bf1096b8f124fb162193af756576b.tar.gz nextcloud-server-bea70d4ad37bf1096b8f124fb162193af756576b.zip | |
Merge pull request #12562 from nextcloud/backport/12544/stable13
[13] Handle permission in update of share better
| -rw-r--r-- | apps/files_sharing/lib/Controller/ShareAPIController.php | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index 470e4c53c5c..2d27293dfd8 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -695,6 +695,10 @@ class ShareAPIController extends OCSController { throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist')); } + if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) { + throw new OCSForbiddenException('You are not allowed to edit incomming shares'); + } + if ($permissions === null && $password === null && $publicUpload === null && $expireDate === null) { throw new OCSBadRequestException($this->l->t('Wrong or no update parameter given')); } |