summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVincent Petry <pvince81@owncloud.com>2016-07-13 14:31:53 +0200
committerGitHub <noreply@github.com>2016-07-13 14:31:53 +0200
commitfb92bb1d2f5bd799681573bfd8e8998244037d29 (patch)
tree3cd07ea7628d335465f1032206e36326a076597b
parentac759d6918f5e585ccf91167cf09bfd41e24ce3a (diff)
parent23383080731d092e079986464a8c4c9ffcb79f4c (diff)
downloadnextcloud-server-fb92bb1d2f5bd799681573bfd8e8998244037d29.tar.gz
nextcloud-server-fb92bb1d2f5bd799681573bfd8e8998244037d29.zip
Merge pull request #25329 from owncloud/stable8.1-fix-versionrevertperms
[stable8.1] Prevent revert when no permission to revert
-rw-r--r--apps/files_versions/lib/storage.php8
-rw-r--r--apps/files_versions/tests/versions.php64
2 files changed, 72 insertions, 0 deletions
diff --git a/apps/files_versions/lib/storage.php b/apps/files_versions/lib/storage.php
index f7072a06697..6651d25c7f3 100644
--- a/apps/files_versions/lib/storage.php
+++ b/apps/files_versions/lib/storage.php
@@ -287,8 +287,16 @@ class Storage {
// add expected leading slash
$file = '/' . ltrim($file, '/');
list($uid, $filename) = self::getUidAndFilename($file);
+ if ($uid === null || trim($filename, '/') === '') {
+ return false;
+ }
$users_view = new \OC\Files\View('/'.$uid);
$files_view = new \OC\Files\View('/'.\OCP\User::getUser().'/files');
+
+ if (!$files_view->isUpdatable($filename)) {
+ return false;
+ }
+
$versionCreated = false;
//first create a new version
diff --git a/apps/files_versions/tests/versions.php b/apps/files_versions/tests/versions.php
index 7cca409ed6c..a907aa1cc36 100644
--- a/apps/files_versions/tests/versions.php
+++ b/apps/files_versions/tests/versions.php
@@ -580,6 +580,68 @@ class Test_Files_Versioning extends \Test\TestCase {
$this->doTestRestore();
}
+ public function testRestoreNoPermission() {
+ $this->loginAsUser(self::TEST_VERSIONS_USER);
+
+ $userHome = \OC::$server->getUserFolder(self::TEST_VERSIONS_USER);
+ $node = $userHome->newFolder('folder');
+ $file = $node->newFile('test.txt');
+
+ \OCP\Share::shareItem(
+ 'folder',
+ $file->getId(),
+ \OCP\Share::SHARE_TYPE_USER,
+ self::TEST_VERSIONS_USER2,
+ \OCP\Constants::PERMISSION_READ
+ );
+
+ $versions = $this->createAndCheckVersions(
+ \OC\Files\Filesystem::getView(),
+ 'folder/test.txt'
+ );
+
+ $file->putContent('test file');
+
+ $this->loginAsUser(self::TEST_VERSIONS_USER2);
+
+ $firstVersion = current($versions);
+
+ $this->assertFalse(\OCA\Files_Versions\Storage::rollback('folder/test.txt', $firstVersion['version']), 'Revert did not happen');
+
+ $this->loginAsUser(self::TEST_VERSIONS_USER);
+
+ $this->assertEquals('test file', $file->getContent(), 'File content has not changed');
+ }
+
+ /**
+ * @param string $hookName name of hook called
+ * @param string $params variable to recieve parameters provided by hook
+ */
+ private function connectMockHooks($hookName, &$params) {
+ if ($hookName === null) {
+ return;
+ }
+
+ $eventHandler = $this->getMockBuilder('\stdclass')
+ ->setMethods(['callback'])
+ ->getMock();
+
+ $eventHandler->expects($this->any())
+ ->method('callback')
+ ->will($this->returnCallback(
+ function($p) use (&$params) {
+ $params = $p;
+ }
+ ));
+
+ \OCP\Util::connectHook(
+ '\OCP\Versions',
+ $hookName,
+ $eventHandler,
+ 'callback'
+ );
+ }
+
private function doTestRestore() {
$filePath = self::TEST_VERSIONS_USER . '/files/sub/test.txt';
$this->rootView->file_put_contents($filePath, 'test file');
@@ -739,6 +801,8 @@ class Test_Files_Versioning extends \Test\TestCase {
// note: we cannot predict how many versions are created due to
// test run timing
$this->assertGreaterThan(0, count($versions));
+
+ return $versions;
}
/**