diff options
| author | Roeland Jago Douma <rullzer@owncloud.com> | 2016-04-01 17:02:59 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <rullzer@owncloud.com> | 2016-04-08 14:17:05 +0200 |
| commit | bd3bde2f3bccb8550f1dbe3c8b254052e8b38865 (patch) | |
| tree | f447d2e8aeda717e389a1e9f9c92ce82d4da01f5 | |
| parent | 6eefea1bb65897b0a1cf8668b15998a12ae197b9 (diff) | |
| download | nextcloud-server-bd3bde2f3bccb8550f1dbe3c8b254052e8b38865.tar.gz nextcloud-server-bd3bde2f3bccb8550f1dbe3c8b254052e8b38865.zip | |
Set proper permissions on link share
If we do not allow public upload we should limit the permissions on
links shares upon retrieval.
* Added unit test
* Allow fetching federated shares by token as well
| -rw-r--r-- | lib/private/Share20/Manager.php | 20 | ||||
| -rw-r--r-- | tests/lib/share20/managertest.php | 19 |
2 files changed, 38 insertions, 1 deletions
diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php index 6c665f7e133..be7257de36d 100644 --- a/lib/private/Share20/Manager.php +++ b/lib/private/Share20/Manager.php @@ -976,7 +976,17 @@ class Manager implements IManager { public function getShareByToken($token) { $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_LINK); - $share = $provider->getShareByToken($token); + try { + $share = $provider->getShareByToken($token); + } catch (ShareNotFound $e) { + //Ignore + } + + // If it is not a link share try to fetch a federated share by token + if ($share === null) { + $provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_REMOTE); + $share = $provider->getShareByToken($token); + } if ($share->getExpirationDate() !== null && $share->getExpirationDate() <= new \DateTime()) { @@ -984,6 +994,14 @@ class Manager implements IManager { throw new ShareNotFound(); } + /* + * Reduce the permissions for link shares if public upload is not enabled + */ + if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK && + !$this->shareApiLinkAllowPublicUpload()) { + $share->setPermissions($share->getPermissions() & ~(\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE)); + } + return $share; } diff --git a/tests/lib/share20/managertest.php b/tests/lib/share20/managertest.php index 029c8cd8543..d8eb3e0a31e 100644 --- a/tests/lib/share20/managertest.php +++ b/tests/lib/share20/managertest.php @@ -2084,6 +2084,25 @@ class ManagerTest extends \Test\TestCase { $this->assertSame($share, $res); } + public function testGetShareByTokenPublicSharingDisabled() { + $share = $this->manager->newShare(); + $share->setShareType(\OCP\Share::SHARE_TYPE_LINK) + ->setPermissions(\OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE); + + $this->config->method('getAppValue')->will($this->returnValueMap([ + ['core', 'shareapi_allow_public_upload', 'yes', 'no'], + ])); + + $this->defaultProvider->expects($this->once()) + ->method('getShareByToken') + ->willReturn('validToken') + ->willReturn($share); + + $res = $this->manager->getShareByToken('validToken'); + + $this->assertSame(\OCP\Constants::PERMISSION_READ, $res->getPermissions()); + } + public function testCheckPasswordNoLinkShare() { $share = $this->getMock('\OCP\Share\IShare'); $share->method('getShareType')->willReturn(\OCP\Share::SHARE_TYPE_USER); |