diff options
author | Vincent Petry <pvince81@owncloud.com> | 2016-07-13 14:31:53 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2016-07-13 14:31:53 +0200 |
commit | fb92bb1d2f5bd799681573bfd8e8998244037d29 (patch) | |
tree | 3cd07ea7628d335465f1032206e36326a076597b | |
parent | ac759d6918f5e585ccf91167cf09bfd41e24ce3a (diff) | |
parent | 23383080731d092e079986464a8c4c9ffcb79f4c (diff) | |
download | nextcloud-server-fb92bb1d2f5bd799681573bfd8e8998244037d29.tar.gz nextcloud-server-fb92bb1d2f5bd799681573bfd8e8998244037d29.zip |
Merge pull request #25329 from owncloud/stable8.1-fix-versionrevertperms
[stable8.1] Prevent revert when no permission to revert
-rw-r--r-- | apps/files_versions/lib/storage.php | 8 | ||||
-rw-r--r-- | apps/files_versions/tests/versions.php | 64 |
2 files changed, 72 insertions, 0 deletions
diff --git a/apps/files_versions/lib/storage.php b/apps/files_versions/lib/storage.php index f7072a06697..6651d25c7f3 100644 --- a/apps/files_versions/lib/storage.php +++ b/apps/files_versions/lib/storage.php @@ -287,8 +287,16 @@ class Storage { // add expected leading slash $file = '/' . ltrim($file, '/'); list($uid, $filename) = self::getUidAndFilename($file); + if ($uid === null || trim($filename, '/') === '') { + return false; + } $users_view = new \OC\Files\View('/'.$uid); $files_view = new \OC\Files\View('/'.\OCP\User::getUser().'/files'); + + if (!$files_view->isUpdatable($filename)) { + return false; + } + $versionCreated = false; //first create a new version diff --git a/apps/files_versions/tests/versions.php b/apps/files_versions/tests/versions.php index 7cca409ed6c..a907aa1cc36 100644 --- a/apps/files_versions/tests/versions.php +++ b/apps/files_versions/tests/versions.php @@ -580,6 +580,68 @@ class Test_Files_Versioning extends \Test\TestCase { $this->doTestRestore(); } + public function testRestoreNoPermission() { + $this->loginAsUser(self::TEST_VERSIONS_USER); + + $userHome = \OC::$server->getUserFolder(self::TEST_VERSIONS_USER); + $node = $userHome->newFolder('folder'); + $file = $node->newFile('test.txt'); + + \OCP\Share::shareItem( + 'folder', + $file->getId(), + \OCP\Share::SHARE_TYPE_USER, + self::TEST_VERSIONS_USER2, + \OCP\Constants::PERMISSION_READ + ); + + $versions = $this->createAndCheckVersions( + \OC\Files\Filesystem::getView(), + 'folder/test.txt' + ); + + $file->putContent('test file'); + + $this->loginAsUser(self::TEST_VERSIONS_USER2); + + $firstVersion = current($versions); + + $this->assertFalse(\OCA\Files_Versions\Storage::rollback('folder/test.txt', $firstVersion['version']), 'Revert did not happen'); + + $this->loginAsUser(self::TEST_VERSIONS_USER); + + $this->assertEquals('test file', $file->getContent(), 'File content has not changed'); + } + + /** + * @param string $hookName name of hook called + * @param string $params variable to recieve parameters provided by hook + */ + private function connectMockHooks($hookName, &$params) { + if ($hookName === null) { + return; + } + + $eventHandler = $this->getMockBuilder('\stdclass') + ->setMethods(['callback']) + ->getMock(); + + $eventHandler->expects($this->any()) + ->method('callback') + ->will($this->returnCallback( + function($p) use (&$params) { + $params = $p; + } + )); + + \OCP\Util::connectHook( + '\OCP\Versions', + $hookName, + $eventHandler, + 'callback' + ); + } + private function doTestRestore() { $filePath = self::TEST_VERSIONS_USER . '/files/sub/test.txt'; $this->rootView->file_put_contents($filePath, 'test file'); @@ -739,6 +801,8 @@ class Test_Files_Versioning extends \Test\TestCase { // note: we cannot predict how many versions are created due to // test run timing $this->assertGreaterThan(0, count($versions)); + + return $versions; } /** |