Merge pull request #12544 from nextcloud/fix/better_update_share_handling

Handle permission in update of share better
author: Roeland Jago Douma <rullzer@users.noreply.github.com> 2018-11-20 16:19:11 +0100
committer: GitHub <noreply@github.com> 2018-11-20 16:19:11 +0100
commit: 1bf742c462b238f441d1a6f115a3f489c98f8bb4 (patch)
tree: 1b54ba740075c05fd308c25e6aa6a25a21272361 /apps/files_sharing
parent: e73bfd5331f51b640717c9fefd4dc5a8248939a7 (diff)
parent: a343a60a6886162c3556e5cff5a12d6218804a58 (diff)
download: nextcloud-server-1bf742c462b238f441d1a6f115a3f489c98f8bb4.tar.gz
nextcloud-server-1bf742c462b238f441d1a6f115a3f489c98f8bb4.zip
1 files changed, 4 insertions, 0 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index e33f93e8ce6..2bd535e319f 100644
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -808,6 +808,10 @@ class ShareAPIController extends OCSController {
 			throw new OCSNotFoundException($this->l->t('Wrong share ID, share doesn\'t exist'));
 		}
 
+		if ($share->getShareOwner() !== $this->currentUser && $share->getSharedBy() !== $this->currentUser) {
+			throw new OCSForbiddenException('You are not allowed to edit incomming shares');
+		}
+
 		if ($permissions === null &&
 			$password === null &&
 			$sendPasswordByTalk === null &&
author	Roeland Jago Douma <rullzer@users.noreply.github.com>	2018-11-20 16:19:11 +0100
committer	GitHub <noreply@github.com>	2018-11-20 16:19:11 +0100
commit	1bf742c462b238f441d1a6f115a3f489c98f8bb4 (patch)
tree	1b54ba740075c05fd308c25e6aa6a25a21272361 /apps/files_sharing
parent	e73bfd5331f51b640717c9fefd4dc5a8248939a7 (diff)
parent	a343a60a6886162c3556e5cff5a12d6218804a58 (diff)
download	nextcloud-server-1bf742c462b238f441d1a6f115a3f489c98f8bb4.tar.gz nextcloud-server-1bf742c462b238f441d1a6f115a3f489c98f8bb4.zip