check share permissions in share controller

1 files changed, 17 insertions, 0 deletions

diff --git a/apps/files_sharing/lib/controllers/sharecontroller.php b/apps/files_sharing/lib/controllers/sharecontroller.php
index dae61a3537b..08679c88bb1 100644
--- a/apps/files_sharing/lib/controllers/sharecontroller.php
+++ b/apps/files_sharing/lib/controllers/sharecontroller.php
@@ -228,6 +228,16 @@ class ShareController extends Controller {
 	}
 
 	/**
+	 * Validate the permissions of the share
+	 *
+	 * @param Share\IShare $share
+	 * @return bool
+	 */
+	private function validateShare(\OCP\Share\IShare $share) {
+		return $share->getNode()->isReadable() && $share->getNode()->isShareable();
+	}
+
+	/**
 	 * @PublicPage
 	 * @NoCSRFRequired
 	 *
@@ -253,6 +263,9 @@ class ShareController extends Controller {
 				array('token' => $token)));
 		}
 
+		if (!$this->validateShare($share)) {
+			throw new NotFoundException();
+		}
 		// We can't get the path of a file share
 		try {
 			if ($share->getNode() instanceof \OCP\Files\File && $path !== '') {
@@ -371,6 +384,10 @@ class ShareController extends Controller {
 		$userFolder = $this->rootFolder->getUserFolder($share->getShareOwner());
 		$originalSharePath = $userFolder->getRelativePath($share->getNode()->getPath());
 
+		if (!$this->validateShare($share)) {
+			throw new NotFoundException();
+		}
+
 		// Single file share
 		if ($share->getNode() instanceof \OCP\Files\File) {
 			// Single file download