diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-06-08 15:38:11 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-06-09 15:15:17 +0200 |
| commit | 075bf73c80882943acc6c73abbcc026046e6b226 (patch) | |
| tree | 903a8fc7382f6df7d891bb60400b5b2dde0a46f4 /apps/files_sharing/lib/Controllers | |
| parent | 66d853680ccc8f579a4b80c85376299b9b98b73b (diff) | |
| download | nextcloud-server-075bf73c80882943acc6c73abbcc026046e6b226.tar.gz nextcloud-server-075bf73c80882943acc6c73abbcc026046e6b226.zip | |
Prevent access to shareinfo if share if read-only
Diffstat (limited to 'apps/files_sharing/lib/Controllers')
| -rw-r--r-- | apps/files_sharing/lib/Controllers/ShareController.php | 8 |
1 files changed, 7 insertions, 1 deletions
diff --git a/apps/files_sharing/lib/Controllers/ShareController.php b/apps/files_sharing/lib/Controllers/ShareController.php index baf2fc9ed11..56f94b91c80 100644 --- a/apps/files_sharing/lib/Controllers/ShareController.php +++ b/apps/files_sharing/lib/Controllers/ShareController.php @@ -252,6 +252,7 @@ class ShareController extends Controller { * @param string $path * @return TemplateResponse|RedirectResponse * @throws NotFoundException + * @throws \Exception */ public function showShare($token, $path = '') { \OC_User::setIncognitoMode(true); @@ -373,13 +374,18 @@ class ShareController extends Controller { * @param string $files * @param string $path * @param string $downloadStartSecret - * @return void|RedirectResponse + * @return void|OCP\AppFramework\Http\Response + * @throws NotFoundException */ public function downloadShare($token, $files = null, $path = '', $downloadStartSecret = '') { \OC_User::setIncognitoMode(true); $share = $this->shareManager->getShareByToken($token); + if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) { + return new OCP\AppFramework\Http\DataResponse('Share is read-only'); + } + // Share is password protected - check whether the user is permitted to access the share if ($share->getPassword() !== null && !$this->linkShareAuth($share)) { return new RedirectResponse($this->urlGenerator->linkToRoute('files_sharing.sharecontroller.authenticate', |