diff options
author | Vincent Petry <pvince81@owncloud.com> | 2013-10-17 10:46:55 +0200 |
---|---|---|
committer | Vincent Petry <pvince81@owncloud.com> | 2013-10-17 10:46:55 +0200 |
commit | 9cfb438ff7fd24ef5c81c4f2e075789d320016e2 (patch) | |
tree | 2104589984d18a6e08a9a2db1b1d2218c8c1ebca | |
parent | 04783da829d76667079eda56d1f8b66d70813b3d (diff) | |
download | nextcloud-server-9cfb438ff7fd24ef5c81c4f2e075789d320016e2.tar.gz nextcloud-server-9cfb438ff7fd24ef5c81c4f2e075789d320016e2.zip |
Fixed upload permissions distinction between public and logged in upload
Fixes #5370
-rw-r--r-- | apps/files/ajax/upload.php | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php index 2c1be428e84..38c2a053a9e 100644 --- a/apps/files/ajax/upload.php +++ b/apps/files/ajax/upload.php @@ -7,6 +7,8 @@ OCP\JSON::setContentTypeHeader('text/plain'); // If not, check the login. // If no token is sent along, rely on login only +$allowedPermissions = OCP\PERMISSION_ALL; + $l = OC_L10N::get('files'); if (empty($_POST['dirToken'])) { // The standard case, files are uploaded through logged in users :) @@ -17,6 +19,9 @@ if (empty($_POST['dirToken'])) { die(); } } else { + // return only read permissions for public upload + $allowedPermissions = OCP\PERMISSION_READ; + $linkItem = OCP\Share::getShareByToken($_POST['dirToken']); if ($linkItem === false) { OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token'))))); @@ -130,7 +135,7 @@ if (strpos($dir, '..') === false) { 'originalname' => $files['tmp_name'][$i], 'uploadMaxFilesize' => $maxUploadFileSize, 'maxHumanFilesize' => $maxHumanFileSize, - 'permissions' => $meta['permissions'] & OCP\PERMISSION_READ + 'permissions' => $meta['permissions'] & $allowedPermissions ); } @@ -156,7 +161,7 @@ if (strpos($dir, '..') === false) { 'originalname' => $files['tmp_name'][$i], 'uploadMaxFilesize' => $maxUploadFileSize, 'maxHumanFilesize' => $maxHumanFileSize, - 'permissions' => $meta['permissions'] & OCP\PERMISSION_READ + 'permissions' => $meta['permissions'] & $allowedPermissions ); } } |