diff options
author | Joas Schilling <coding@schilljs.com> | 2019-07-02 10:22:30 +0200 |
---|---|---|
committer | Joas Schilling <coding@schilljs.com> | 2019-07-03 14:00:13 +0200 |
commit | e4addbae3e564b6009dc09c6c5e36c018cd8d5d0 (patch) | |
tree | 34b6c4e2cab19f9ce9cab940cc55cfbdf55aea0c | |
parent | eaabe97373baa68b5e3c396bf8e1f5a3f17ac1b6 (diff) | |
download | nextcloud-server-e4addbae3e564b6009dc09c6c5e36c018cd8d5d0.tar.gz nextcloud-server-e4addbae3e564b6009dc09c6c5e36c018cd8d5d0.zip |
Better check reshare permissions when creating a share
Signed-off-by: Joas Schilling <coding@schilljs.com>
-rw-r--r-- | build/integration/features/sharing-v1-part2.feature | 60 | ||||
-rw-r--r-- | lib/private/Share20/Manager.php | 25 | ||||
-rw-r--r-- | tests/lib/Share20/ManagerTest.php | 6 |
3 files changed, 88 insertions, 3 deletions
diff --git a/build/integration/features/sharing-v1-part2.feature b/build/integration/features/sharing-v1-part2.feature index f6532ea564d..9fbb4cda947 100644 --- a/build/integration/features/sharing-v1-part2.feature +++ b/build/integration/features/sharing-v1-part2.feature @@ -251,6 +251,66 @@ Feature: sharing Then the OCS status code should be "404" And the HTTP status code should be "200" + Scenario: User is not allowed to reshare file with additional delete permissions + As an "admin" + Given user "user0" exists + And user "user1" exists + And user "user2" exists + And As an "user0" + And creating a share with + | path | /PARENT | + | shareType | 0 | + | shareWith | user1 | + | permissions | 16 | + And As an "user1" + When creating a share with + | path | /PARENT (2) | + | shareType | 0 | + | shareWith | user2 | + | permissions | 25 | + Then the OCS status code should be "404" + And the HTTP status code should be "200" + + Scenario: User is not allowed to reshare file with additional delete permissions for files + As an "admin" + Given user "user0" exists + And user "user1" exists + And user "user2" exists + And As an "user0" + And creating a share with + | path | /textfile0.txt | + | shareType | 0 | + | shareWith | user1 | + | permissions | 16 | + And As an "user1" + When creating a share with + | path | /textfile0 (2).txt | + | shareType | 0 | + | shareWith | user2 | + | permissions | 25 | + Then the OCS status code should be "100" + And the HTTP status code should be "200" + When Getting info of last share + Then Share fields of last share match with + | id | A_NUMBER | + | item_type | file | + | item_source | A_NUMBER | + | share_type | 0 | + | share_with | user2 | + | file_source | A_NUMBER | + | file_target | /textfile0 (2).txt | + | path | /textfile0 (2).txt | + | permissions | 17 | + | stime | A_NUMBER | + | storage | A_NUMBER | + | mail_send | 0 | + | uid_owner | user1 | + | storage_id | shared::/textfile0 (2).txt | + | file_parent | A_NUMBER | + | share_with_displayname | user2 | + | displayname_owner | user1 | + | mimetype | text/plain | + Scenario: Get a share with a user which didn't received the share Given user "user0" exists And user "user1" exists diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php index df9a06e3a96..4c31a29dc02 100644 --- a/lib/private/Share20/Manager.php +++ b/lib/private/Share20/Manager.php @@ -269,11 +269,13 @@ class Manager implements IManager { // And you can't share your rootfolder if ($this->userManager->userExists($share->getSharedBy())) { - $sharedPath = $this->rootFolder->getUserFolder($share->getSharedBy())->getPath(); + $userFolder = $this->rootFolder->getUserFolder($share->getSharedBy()); + $userFolderPath = $userFolder->getPath(); } else { - $sharedPath = $this->rootFolder->getUserFolder($share->getShareOwner())->getPath(); + $userFolder = $this->rootFolder->getUserFolder($share->getShareOwner()); + $userFolderPath = $userFolder->getPath(); } - if ($sharedPath === $share->getNode()->getPath()) { + if ($userFolderPath === $share->getNode()->getPath()) { throw new \InvalidArgumentException('You can’t share your root folder'); } @@ -297,6 +299,23 @@ class Manager implements IManager { $mount = $share->getNode()->getMountPoint(); if (!($mount instanceof MoveableMount)) { $permissions |= \OCP\Constants::PERMISSION_DELETE | \OCP\Constants::PERMISSION_UPDATE; + } else if ($share->getNode()->getOwner()->getUID() !== $share->getSharedBy()) { + $userMountPointId = $mount->getStorageRootId(); + $userMountPoints = $userFolder->getById($userMountPointId); + $userMountPoint = array_shift($userMountPoints); + + /* Check if this is an incoming share */ + $incomingShares = $this->getSharedWith($share->getSharedBy(), Share::SHARE_TYPE_USER, $userMountPoint, -1, 0); + $incomingShares = array_merge($incomingShares, $this->getSharedWith($share->getSharedBy(), Share::SHARE_TYPE_GROUP, $userMountPoint, -1, 0)); + $incomingShares = array_merge($incomingShares, $this->getSharedWith($share->getSharedBy(), Share::SHARE_TYPE_ROOM, $userMountPoint, -1, 0)); + + /** @var \OCP\Share\IShare[] $incomingShares */ + if (!empty($incomingShares)) { + $permissions = 0; + foreach ($incomingShares as $incomingShare) { + $permissions |= $incomingShare->getPermissions(); + } + } } // Check that we do not share with more permissions than we have diff --git a/tests/lib/Share20/ManagerTest.php b/tests/lib/Share20/ManagerTest.php index 43310f7e05f..417ba2ebc93 100644 --- a/tests/lib/Share20/ManagerTest.php +++ b/tests/lib/Share20/ManagerTest.php @@ -589,6 +589,12 @@ class ManagerTest extends \Test\TestCase { $limitedPermssions->method('getPermissions')->willReturn(\OCP\Constants::PERMISSION_READ); $limitedPermssions->method('getPath')->willReturn('path'); + $owner = $this->createMock(IUser::class); + $owner->method('getUID') + ->willReturn($user0); + $limitedPermssions->method('getOwner') + ->willReturn($owner); + $data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_USER, $limitedPermssions, $user2, $user0, $user0, null, null, null), 'A share requires permissions', true]; $data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_GROUP, $limitedPermssions, $group0, $user0, $user0, null, null, null), 'A share requires permissions', true]; $data[] = [$this->createShare(null, \OCP\Share::SHARE_TYPE_LINK, $limitedPermssions, null, $user0, $user0, null, null, null), 'A share requires permissions', true]; |