diff options
| author | Julius Härtl <jus@bitgrid.net> | 2022-10-25 09:15:39 +0200 |
|---|---|---|
| committer | Julius Härtl <jus@bitgrid.net> | 2022-10-25 11:35:31 +0200 |
| commit | 8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1 (patch) | |
| tree | ada100e09304e5c327d2d772653b24603e08dca8 /apps/files_sharing/lib | |
| parent | e3aac7d573961933b185c87d9600580b21423a42 (diff) | |
| download | nextcloud-server-8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1.tar.gz nextcloud-server-8629d8e44f31dbcc0d8237391aa2fbaeea2d13f1.zip | |
Check share attributes on preview endpoints
Signed-off-by: Julius Härtl <jus@bitgrid.net>
Diffstat (limited to 'apps/files_sharing/lib')
| -rw-r--r-- | apps/files_sharing/lib/Controller/PublicPreviewController.php | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/apps/files_sharing/lib/Controller/PublicPreviewController.php b/apps/files_sharing/lib/Controller/PublicPreviewController.php index 98c4d8cafb4..ee11cf5f3f0 100644 --- a/apps/files_sharing/lib/Controller/PublicPreviewController.php +++ b/apps/files_sharing/lib/Controller/PublicPreviewController.php @@ -109,6 +109,11 @@ class PublicPreviewController extends PublicShareController { return new DataResponse([], Http::STATUS_FORBIDDEN); } + $attributes = $share->getAttributes(); + if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) { + return new DataResponse([], Http::STATUS_FORBIDDEN); + } + try { $node = $share->getNode(); if ($node instanceof Folder) { @@ -159,6 +164,11 @@ class PublicPreviewController extends PublicShareController { return new DataResponse([], Http::STATUS_FORBIDDEN); } + $attributes = $share->getAttributes(); + if ($attributes !== null && $attributes->getAttribute('permissions', 'download') === false) { + return new DataResponse([], Http::STATUS_FORBIDDEN); + } + try { $node = $share->getNode(); if ($node instanceof Folder) { |