Merge pull request #19764 from nextcloud/fix/transfer-ownerhip-owner-check

Do not allow transfer ownership when the user isn't the owner
author: Roeland Jago Douma <rullzer@users.noreply.github.com> 2020-03-03 20:20:43 +0100
committer: GitHub <noreply@github.com> 2020-03-03 20:20:43 +0100
commit: 65b75c8bba79a8eb7f3896ed1ffc8890183e8f31 (patch)
tree: ae570853fd1439a7387627c30f43a720d5a1fb76 /apps/files/lib
parent: b57ffe8d7517d64d513bccbc065127f56f30b702 (diff)
parent: 68b764bb0f1f9604ae9b601ab2b9947705307a6e (diff)
download: nextcloud-server-65b75c8bba79a8eb7f3896ed1ffc8890183e8f31.tar.gz
nextcloud-server-65b75c8bba79a8eb7f3896ed1ffc8890183e8f31.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files/lib/Controller/TransferOwnershipController.php b/apps/files/lib/Controller/TransferOwnershipController.php
index 639e73187ca..0b33e12e88f 100644
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController {
 			return new DataResponse([], Http::STATUS_BAD_REQUEST);
 		}
 
+		if ($node->getOwner()->getUID() !== $this->userId) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$transferOwnership = new TransferOwnershipEntity();
 		$transferOwnership->setSourceUser($this->userId);
 		$transferOwnership->setTargetUser($recipient);
author	Roeland Jago Douma <rullzer@users.noreply.github.com>	2020-03-03 20:20:43 +0100
committer	GitHub <noreply@github.com>	2020-03-03 20:20:43 +0100
commit	65b75c8bba79a8eb7f3896ed1ffc8890183e8f31 (patch)
tree	ae570853fd1439a7387627c30f43a720d5a1fb76 /apps/files/lib
parent	b57ffe8d7517d64d513bccbc065127f56f30b702 (diff)
parent	68b764bb0f1f9604ae9b601ab2b9947705307a6e (diff)
download	nextcloud-server-65b75c8bba79a8eb7f3896ed1ffc8890183e8f31.tar.gz nextcloud-server-65b75c8bba79a8eb7f3896ed1ffc8890183e8f31.zip