Remove path from versions response

The path attribute contains the path relative to the owner's home folder, not the one from the recipient, which is useless for the client and needlessly discloses the owner's original path. The requested already has access to the full path of the file, so no need to add it to the response.
author: Vincent Petry <pvince81@owncloud.com> 2016-02-10 13:38:38 +0100
committer: Vincent Petry <pvince81@owncloud.com> 2016-02-10 13:38:38 +0100
commit: a6f997ddaed4ce9e179761989bbe304ed4176cb4 (patch)
tree: fb8682c3cd6220c5f1257b9025f054a6e3d2b043 /apps/files_versions
parent: 9a2c517ca8eaf25bf142696e1479355112b1f108 (diff)
download: nextcloud-server-a6f997ddaed4ce9e179761989bbe304ed4176cb4.tar.gz
nextcloud-server-a6f997ddaed4ce9e179761989bbe304ed4176cb4.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/apps/files_versions/ajax/getVersions.php b/apps/files_versions/ajax/getVersions.php
index 1953a55d13d..7d704c14618 100644
--- a/apps/files_versions/ajax/getVersions.php
+++ b/apps/files_versions/ajax/getVersions.php
@@ -41,6 +41,11 @@ if( $versions ) {
 
 	$versions = array_slice($versions, $start, $count);
 
+	// remove owner path from request to not disclose it to the recipient
+	foreach ($versions as $version) {
+		unset($version['path']);
+	}
+
 	\OCP\JSON::success(array('data' => array('versions' => $versions, 'endReached' => $endReached)));
 
 } else {
author	Vincent Petry <pvince81@owncloud.com>	2016-02-10 13:38:38 +0100
committer	Vincent Petry <pvince81@owncloud.com>	2016-02-10 13:38:38 +0100
commit	a6f997ddaed4ce9e179761989bbe304ed4176cb4 (patch)
tree	fb8682c3cd6220c5f1257b9025f054a6e3d2b043 /apps/files_versions
parent	9a2c517ca8eaf25bf142696e1479355112b1f108 (diff)
download	nextcloud-server-a6f997ddaed4ce9e179761989bbe304ed4176cb4.tar.gz nextcloud-server-a6f997ddaed4ce9e179761989bbe304ed4176cb4.zip