diff options
| author | Björn Schießle <bjoern@schiessle.org> | 2016-06-30 14:41:23 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-06-30 14:41:23 +0200 |
| commit | 8e002b61554308cb4d50570f715303a82136f0fa (patch) | |
| tree | fa27987626d305fcc73170650d3ef6cfaedd7720 /apps/dav/lib | |
| parent | 2cdee70305d72ea018f5bccdcc8d62c159204ef9 (diff) | |
| parent | 26e14529be942e3cc3c2bb2b388b155073daecb1 (diff) | |
| download | nextcloud-server-8e002b61554308cb4d50570f715303a82136f0fa.tar.gz nextcloud-server-8e002b61554308cb4d50570f715303a82136f0fa.zip | |
Merge pull request #255 from nextcloud/dav-permission-check
add some additonal permission checks to the webdav backend
Diffstat (limited to 'apps/dav/lib')
| -rw-r--r-- | apps/dav/lib/Connector/Sabre/ObjectTree.php | 32 |
1 files changed, 29 insertions, 3 deletions
diff --git a/apps/dav/lib/Connector/Sabre/ObjectTree.php b/apps/dav/lib/Connector/Sabre/ObjectTree.php index 9e7d876187d..d8c1d71e7f1 100644 --- a/apps/dav/lib/Connector/Sabre/ObjectTree.php +++ b/apps/dav/lib/Connector/Sabre/ObjectTree.php @@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree { * is present. * * @param string $path chunk file path to convert - * + * * @return string path to real file */ private function resolveChunkFile($path) { @@ -186,9 +186,13 @@ class ObjectTree extends \Sabre\DAV\Tree { * * @param string $sourcePath The path to the file which should be moved * @param string $destinationPath The full destination path, so not just the destination parent node - * @throws \Sabre\DAV\Exception\BadRequest - * @throws \Sabre\DAV\Exception\ServiceUnavailable + * @throws FileLocked + * @throws Forbidden + * @throws InvalidPath * @throws \Sabre\DAV\Exception\Forbidden + * @throws \Sabre\DAV\Exception\Locked + * @throws \Sabre\DAV\Exception\NotFound + * @throws \Sabre\DAV\Exception\ServiceUnavailable * @return int */ public function move($sourcePath, $destinationPath) { @@ -196,6 +200,15 @@ class ObjectTree extends \Sabre\DAV\Tree { throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); } + $infoDestination = $this->fileView->getFileInfo(dirname($destinationPath)); + $infoSource = $this->fileView->getFileInfo($sourcePath); + $destinationPermission = $infoDestination && $infoDestination->isUpdateable(); + $sourcePermission = $infoSource && $infoSource->isDeletable(); + + if (!$destinationPermission || !$sourcePermission) { + throw new Forbidden('No permissions to move object.'); + } + $targetNodeExists = $this->nodeExists($destinationPath); $sourceNode = $this->getNodeForPath($sourcePath); if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) { @@ -265,6 +278,13 @@ class ObjectTree extends \Sabre\DAV\Tree { * * @param string $source * @param string $destination + * @throws FileLocked + * @throws Forbidden + * @throws InvalidPath + * @throws \Exception + * @throws \Sabre\DAV\Exception\Forbidden + * @throws \Sabre\DAV\Exception\Locked + * @throws \Sabre\DAV\Exception\NotFound * @throws \Sabre\DAV\Exception\ServiceUnavailable * @return void */ @@ -273,6 +293,12 @@ class ObjectTree extends \Sabre\DAV\Tree { throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); } + + $info = $this->fileView->getFileInfo(dirname($destination)); + if ($info && !$info->isUpdateable()) { + throw new Forbidden('No permissions to copy object.'); + } + // this will trigger existence check $this->getNodeForPath($source); |