diff options
| author | Joas Schilling <coding@schilljs.com> | 2017-02-23 10:31:28 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2017-04-20 10:44:11 +0200 |
| commit | c2d1e6e7ff82e46e3c933e27ca6a24f9250da14d (patch) | |
| tree | 88ee87c74d464c0b59973288d5d4c5a25eb5205f /apps/dav/lib/CalDAV | |
| parent | 799b229a68d3478809c084d58b69288061139ab1 (diff) | |
| download | nextcloud-server-c2d1e6e7ff82e46e3c933e27ca6a24f9250da14d.tar.gz nextcloud-server-c2d1e6e7ff82e46e3c933e27ca6a24f9250da14d.zip | |
Restrict share handling to the owner only
Otherwise group members can remove the share for the complete group,
remove edit permissions and even single user shares for other users.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/dav/lib/CalDAV')
| -rw-r--r-- | apps/dav/lib/CalDAV/Calendar.php | 17 |
1 files changed, 14 insertions, 3 deletions
diff --git a/apps/dav/lib/CalDAV/Calendar.php b/apps/dav/lib/CalDAV/Calendar.php index d1eff1aeaa3..05c7e635391 100644 --- a/apps/dav/lib/CalDAV/Calendar.php +++ b/apps/dav/lib/CalDAV/Calendar.php @@ -61,8 +61,12 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable { * @param array $add * @param array $remove * @return void + * @throws Forbidden */ - function updateShares(array $add, array $remove) { + public function updateShares(array $add, array $remove) { + if ($this->isShared()) { + throw new Forbidden(); + } /** @var CalDavBackend $calDavBackend */ $calDavBackend = $this->caldavBackend; $calDavBackend->updateShares($this, $add, $remove); @@ -80,7 +84,10 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable { * * @return array */ - function getShares() { + public function getShares() { + if ($this->isShared()) { + return []; + } /** @var CalDavBackend $calDavBackend */ $calDavBackend = $this->caldavBackend; return $calDavBackend->getShares($this->getResourceId()); @@ -136,6 +143,10 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable { ]; } + if ($this->isShared()) { + return $acl; + } + /** @var CalDavBackend $calDavBackend */ $calDavBackend = $this->caldavBackend; return $calDavBackend->applyShareAcl($this->getResourceId(), $acl); @@ -156,7 +167,7 @@ class Calendar extends \Sabre\CalDAV\Calendar implements IShareable { if (isset($this->calendarInfo['{http://owncloud.org/ns}owner-principal']) && $this->calendarInfo['{http://owncloud.org/ns}owner-principal'] !== $this->calendarInfo['principaluri']) { $principal = 'principal:' . parent::getOwner(); - $shares = $this->getShares(); + $shares = $this->caldavBackend->getShares($this->getResourceId()); $shares = array_filter($shares, function($share) use ($principal){ return $share['href'] === $principal; }); |