Shares should have a least read permission

* Throw 400 when a share is created or updated without read permissions * Added unit tests
author: Roeland Jago Douma <roeland@famdouma.nl> 2015-02-27 13:15:56 +0100
committer: Roeland Jago Douma <roeland@famdouma.nl> 2015-03-01 17:13:17 +0100
commit: 4436a9ce35c2b6ddb5eda4900e9f95e05ee9a5a6 (patch)
tree: c90ab3c022943bdf36b22592e45be106808294c7 /apps/files_sharing/api/local.php
parent: ff85d38c2a96ae5d03555e8289911fec73976a68 (diff)
download: nextcloud-server-4436a9ce35c2b6ddb5eda4900e9f95e05ee9a5a6.tar.gz
nextcloud-server-4436a9ce35c2b6ddb5eda4900e9f95e05ee9a5a6.zip
1 files changed, 8 insertions, 1 deletions
diff --git a/apps/files_sharing/api/local.php b/apps/files_sharing/api/local.php
index d9291c29f61..87a8fbbb21f 100644
--- a/apps/files_sharing/api/local.php
+++ b/apps/files_sharing/api/local.php
@@ -276,6 +276,10 @@ class Local {
 				return new \OC_OCS_Result(null, 400, "unknown share type");
 		}
 
+		if (($permissions & \OCP\Constants::PERMISSION_READ) === 0) {
+			return new \OC_OCS_Result(null, 400, 'invalid permissions');
+		}
+
 		try	{
 			$token = \OCP\Share::shareItem(
 					$itemType,
@@ -347,7 +351,6 @@ class Local {
 		}
 
 		return new \OC_OCS_Result(null, 400, "Wrong or no update parameter given");
-
 	}
 
 	/**
@@ -376,6 +379,10 @@ class Local {
 			}
 		}
 
+		if (($permissions & \OCP\Constants::PERMISSION_READ) === 0) {
+			return new \OC_OCS_Result(null, 400, 'invalid permissions');
+		}
+
 		try {
 			$return = \OCP\Share::setPermissions(
 					$itemType,
author	Roeland Jago Douma <roeland@famdouma.nl>	2015-02-27 13:15:56 +0100
committer	Roeland Jago Douma <roeland@famdouma.nl>	2015-03-01 17:13:17 +0100
commit	4436a9ce35c2b6ddb5eda4900e9f95e05ee9a5a6 (patch)
tree	c90ab3c022943bdf36b22592e45be106808294c7 /apps/files_sharing/api/local.php
parent	ff85d38c2a96ae5d03555e8289911fec73976a68 (diff)
download	nextcloud-server-4436a9ce35c2b6ddb5eda4900e9f95e05ee9a5a6.tar.gz nextcloud-server-4436a9ce35c2b6ddb5eda4900e9f95e05ee9a5a6.zip