diff options
| author | Joas Schilling <coding@schilljs.com> | 2017-02-23 10:31:28 +0100 |
|---|---|---|
| committer | Joas Schilling <coding@schilljs.com> | 2017-04-20 10:44:11 +0200 |
| commit | c2d1e6e7ff82e46e3c933e27ca6a24f9250da14d (patch) | |
| tree | 88ee87c74d464c0b59973288d5d4c5a25eb5205f /apps/dav/lib/CardDAV/AddressBook.php | |
| parent | 799b229a68d3478809c084d58b69288061139ab1 (diff) | |
| download | nextcloud-server-c2d1e6e7ff82e46e3c933e27ca6a24f9250da14d.tar.gz nextcloud-server-c2d1e6e7ff82e46e3c933e27ca6a24f9250da14d.zip | |
Restrict share handling to the owner only
Otherwise group members can remove the share for the complete group,
remove edit permissions and even single user shares for other users.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps/dav/lib/CardDAV/AddressBook.php')
| -rw-r--r-- | apps/dav/lib/CardDAV/AddressBook.php | 21 |
1 files changed, 20 insertions, 1 deletions
diff --git a/apps/dav/lib/CardDAV/AddressBook.php b/apps/dav/lib/CardDAV/AddressBook.php index 1c13ac00aec..84448c5459e 100644 --- a/apps/dav/lib/CardDAV/AddressBook.php +++ b/apps/dav/lib/CardDAV/AddressBook.php @@ -64,8 +64,12 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable { * @param array $add * @param array $remove * @return void + * @throws Forbidden */ function updateShares(array $add, array $remove) { + if ($this->isShared()) { + throw new Forbidden(); + } /** @var CardDavBackend $carddavBackend */ $carddavBackend = $this->carddavBackend; $carddavBackend->updateShares($this, $add, $remove); @@ -84,6 +88,9 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable { * @return array */ function getShares() { + if ($this->isShared()) { + return []; + } /** @var CardDavBackend $carddavBackend */ $carddavBackend = $this->carddavBackend; return $carddavBackend->getShares($this->getResourceId()); @@ -123,6 +130,10 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable { ]; } + if ($this->isShared()) { + return $acl; + } + /** @var CardDavBackend $carddavBackend */ $carddavBackend = $this->carddavBackend; return $carddavBackend->applyShareAcl($this->getResourceId(), $acl); @@ -160,7 +171,7 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable { function delete() { if (isset($this->addressBookInfo['{http://owncloud.org/ns}owner-principal'])) { $principal = 'principal:' . parent::getOwner(); - $shares = $this->getShares(); + $shares = $this->carddavBackend->getShares($this->getResourceId()); $shares = array_filter($shares, function($share) use ($principal){ return $share['href'] === $principal; }); @@ -192,6 +203,14 @@ class AddressBook extends \Sabre\CardDAV\AddressBook implements IShareable { return $cardDavBackend->collectCardProperties($this->getResourceId(), 'CATEGORIES'); } + private function isShared() { + if (!isset($this->addressBookInfo['{http://owncloud.org/ns}owner-principal'])) { + return false; + } + + return $this->addressBookInfo['{http://owncloud.org/ns}owner-principal'] !== $this->addressBookInfo['principaluri']; + } + private function canWrite() { if (isset($this->addressBookInfo['{http://owncloud.org/ns}read-only'])) { return !$this->addressBookInfo['{http://owncloud.org/ns}read-only']; |