Check whether the user has permissions to add personal storage backends

Quick’n dirty back port of #8182 - master has a better fix but that
should be good enough…

missing return - OCP\JSON::success does not terminate the PHP process - which is good ;-)

Use error instead of success

Revert "Use error instead of success"

This reverts commit e2d5535a5aa436c3896e46f0b9e8ff1bd5640d4d.

Use error instead of success

1 files changed, 7 insertions, 2 deletions

diff --git a/apps/files_external/ajax/addMountPoint.php b/apps/files_external/ajax/addMountPoint.php
index fed2ddfcf3d..2423692be18 100644
--- a/apps/files_external/ajax/addMountPoint.php
+++ b/apps/files_external/ajax/addMountPoint.php
@@ -1,10 +1,15 @@
 <?php
 
 OCP\JSON::checkAppEnabled('files_external');
+OCP\JSON::checkLoggedIn();
 OCP\JSON::callCheck();
 
 if ($_POST['isPersonal'] == 'true') {
-	OCP\JSON::checkLoggedIn();
+	// Check whether the user has permissions to add personal storage backends
+	if(OCP\Config::getAppValue('files_external', 'allow_user_mounting', 'yes') !== 'yes') {
+		OCP\JSON::error(array('data' => array('message' => 'no permission')));
+		return;
+	}
 	$isPersonal = true;
 } else {
 	OCP\JSON::checkAdminUser();
@@ -16,4 +21,4 @@ $status = OC_Mount_Config::addMountPoint($_POST['mountPoint'],
 							   $_POST['mountType'],
 							   $_POST['applicable'],
 							   $isPersonal);
-OCP\JSON::success(array('data' => array('message' => $status)));
\ No newline at end of file
+OCP\JSON::success(array('data' => array('message' => $status)));