Do not allow transfer ownership when the user isn't the owner

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
author: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-03 14:45:06 +0100
committer: Christoph Wurst <christoph@winzerhof-wurst.at> 2020-03-03 14:48:45 +0100
commit: 68b764bb0f1f9604ae9b601ab2b9947705307a6e (patch)
tree: 2d1dc7974ad60ba52fe642a7a01eb9a40080e8a0 /apps/files/lib/Controller
parent: 26ea9681ab65350fbf49cdc83ecfba23e57de400 (diff)
download: nextcloud-server-68b764bb0f1f9604ae9b601ab2b9947705307a6e.tar.gz
nextcloud-server-68b764bb0f1f9604ae9b601ab2b9947705307a6e.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files/lib/Controller/TransferOwnershipController.php b/apps/files/lib/Controller/TransferOwnershipController.php
index 639e73187ca..0b33e12e88f 100644
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController {
 			return new DataResponse([], Http::STATUS_BAD_REQUEST);
 		}
 
+		if ($node->getOwner()->getUID() !== $this->userId) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$transferOwnership = new TransferOwnershipEntity();
 		$transferOwnership->setSourceUser($this->userId);
 		$transferOwnership->setTargetUser($recipient);
author	Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-03 14:45:06 +0100
committer	Christoph Wurst <christoph@winzerhof-wurst.at>	2020-03-03 14:48:45 +0100
commit	68b764bb0f1f9604ae9b601ab2b9947705307a6e (patch)
tree	2d1dc7974ad60ba52fe642a7a01eb9a40080e8a0 /apps/files/lib/Controller
parent	26ea9681ab65350fbf49cdc83ecfba23e57de400 (diff)
download	nextcloud-server-68b764bb0f1f9604ae9b601ab2b9947705307a6e.tar.gz nextcloud-server-68b764bb0f1f9604ae9b601ab2b9947705307a6e.zip