summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBjoern Schiessle <bjoern@schiessle.org>2016-06-30 11:09:20 +0200
committerBjoern Schiessle <bjoern@schiessle.org>2016-06-30 11:16:49 +0200
commit3571207bd956de5dc8aece2ba879f31f3696fef6 (patch)
tree22ced6e37777ad06f4b13999217e520ebdb40143
parentf7a69c765af490767fcd765f06086f7604fdbc43 (diff)
downloadnextcloud-server-3571207bd956de5dc8aece2ba879f31f3696fef6.tar.gz
nextcloud-server-3571207bd956de5dc8aece2ba879f31f3696fef6.zip
add some additonal permission checks to the webdav backend
-rw-r--r--apps/dav/lib/Connector/Sabre/ObjectTree.php17
1 files changed, 16 insertions, 1 deletions
diff --git a/apps/dav/lib/Connector/Sabre/ObjectTree.php b/apps/dav/lib/Connector/Sabre/ObjectTree.php
index 9e7d876187d..07052e30301 100644
--- a/apps/dav/lib/Connector/Sabre/ObjectTree.php
+++ b/apps/dav/lib/Connector/Sabre/ObjectTree.php
@@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree {
* is present.
*
* @param string $path chunk file path to convert
- *
+ *
* @return string path to real file
*/
private function resolveChunkFile($path) {
@@ -196,6 +196,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
+ $infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
+ $infoSource = $this->fileView->getFileInfo($sourcePath);
+ $destinationPermission = $infoDestination && $infoDestination->isUpdateable();
+ $sourcePermission = $infoSource && $infoSource->isDeletable();
+
+ if (!$destinationPermission || !$sourcePermission) {
+ throw new Forbidden();
+ }
+
$targetNodeExists = $this->nodeExists($destinationPath);
$sourceNode = $this->getNodeForPath($sourcePath);
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@@ -273,6 +282,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
+
+ $info = $this->fileView->getFileInfo(dirname($destination));
+ if ($info && !$info->isUpdateable()) {
+ throw new Forbidden();
+ }
+
// this will trigger existence check
$this->getNodeForPath($source);