diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-02-19 19:45:03 +0100 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-19 20:45:20 +0100 |
| commit | 3bd95cca6ba614c6af77af4c33c09cc6b152729c (patch) | |
| tree | cd6de7dcc1c5da164443cc6d5fcf8a90278d36bd /apps/dav/lib | |
| parent | c13259cf9e5a977485b842c36d04d352bbb4d61b (diff) | |
| download | nextcloud-server-3bd95cca6ba614c6af77af4c33c09cc6b152729c.tar.gz nextcloud-server-3bd95cca6ba614c6af77af4c33c09cc6b152729c.zip | |
Check if user has permission to create such a tag
Fixes https://github.com/owncloud/core/issues/22512
Diffstat (limited to 'apps/dav/lib')
| -rw-r--r-- | apps/dav/lib/server.php | 6 | ||||
| -rw-r--r-- | apps/dav/lib/systemtag/systemtagnode.php | 1 | ||||
| -rw-r--r-- | apps/dav/lib/systemtag/systemtagplugin.php | 29 |
3 files changed, 32 insertions, 4 deletions
diff --git a/apps/dav/lib/server.php b/apps/dav/lib/server.php index fd18d0d21ac..74be318fe5e 100644 --- a/apps/dav/lib/server.php +++ b/apps/dav/lib/server.php @@ -93,7 +93,11 @@ class Server { $this->server->addPlugin(new \OCA\DAV\CardDAV\Plugin()); // system tags plugins - $this->server->addPlugin(new \OCA\DAV\SystemTag\SystemTagPlugin(\OC::$server->getSystemTagManager())); + $this->server->addPlugin(new \OCA\DAV\SystemTag\SystemTagPlugin( + \OC::$server->getSystemTagManager(), + \OC::$server->getGroupManager(), + \OC::$server->getUserSession() + )); // comments plugin $this->server->addPlugin(new \OCA\DAV\Comments\CommentsPlugin( diff --git a/apps/dav/lib/systemtag/systemtagnode.php b/apps/dav/lib/systemtag/systemtagnode.php index ecdb39a762c..7a47a752ad0 100644 --- a/apps/dav/lib/systemtag/systemtagnode.php +++ b/apps/dav/lib/systemtag/systemtagnode.php @@ -103,6 +103,7 @@ class SystemTagNode implements \Sabre\DAV\INode { * @param bool $userVisible user visible * @param bool $userAssignable user assignable * @throws NotFound whenever the given tag id does not exist + * @throws Forbidden whenever there is no permission to update said tag * @throws Conflict whenever a tag already exists with the given attributes */ public function update($name, $userVisible, $userAssignable) { diff --git a/apps/dav/lib/systemtag/systemtagplugin.php b/apps/dav/lib/systemtag/systemtagplugin.php index 3348b431c47..7da24ba7cf8 100644 --- a/apps/dav/lib/systemtag/systemtagplugin.php +++ b/apps/dav/lib/systemtag/systemtagplugin.php @@ -21,6 +21,8 @@ */ namespace OCA\DAV\SystemTag; +use OCP\IGroupManager; +use OCP\IUserSession; use Sabre\DAV\Exception\NotFound; use Sabre\DAV\PropFind; use Sabre\DAV\PropPatch; @@ -61,12 +63,26 @@ class SystemTagPlugin extends \Sabre\DAV\ServerPlugin { protected $tagManager; /** - * System tags plugin - * + * @var IUserSession + */ + protected $userSession; + + /** + * @var IGroupManager + */ + protected $groupManager; + + /** * @param ISystemTagManager $tagManager tag manager + * @param IGroupManager $groupManager + * @param IUserSession $userSession */ - public function __construct(ISystemTagManager $tagManager) { + public function __construct(ISystemTagManager $tagManager, + IGroupManager $groupManager, + IUserSession $userSession) { $this->tagManager = $tagManager; + $this->userSession = $userSession; + $this->groupManager = $groupManager; } /** @@ -163,6 +179,13 @@ class SystemTagPlugin extends \Sabre\DAV\ServerPlugin { if (isset($data['userAssignable'])) { $userAssignable = (bool)$data['userAssignable']; } + + if($userVisible === false || $userAssignable === false) { + if(!$this->userSession->isLoggedIn() || !$this->groupManager->isAdmin($this->userSession->getUser()->getUID())) { + throw new BadRequest('Not sufficient permissions'); + } + } + try { return $this->tagManager->createTag($tagName, $userVisible, $userAssignable); } catch (TagAlreadyExistsException $e) { |