aboutsummaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
authorJoas Schilling <coding@schilljs.com>2019-06-21 09:22:06 +0200
committerRoeland Jago Douma <roeland@famdouma.nl>2019-06-27 15:27:30 +0200
commit7aa26b28a8bd171b5dfd2f28980247b0882f2f71 (patch)
tree895ec6a90c169aa9fdaaa5aa69ba45b05da0b712 /apps
parentc63f1d8d39f0ccae4483c6c37a1ecf7fa9040b81 (diff)
downloadnextcloud-server-7aa26b28a8bd171b5dfd2f28980247b0882f2f71.tar.gz
nextcloud-server-7aa26b28a8bd171b5dfd2f28980247b0882f2f71.zip
Correctly check share permissions when updating a re-sub-share
Before this change the node you shared was checked for permissions. This works when you reshare the folder that was shared with you. However when you reshared a subfolder (e.g. as public link), you could afterwards update the permissions and grant create+update permissions although the share you receive was read-only. Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps')
-rw-r--r--apps/files_sharing/lib/Controller/ShareAPIController.php16
1 files changed, 13 insertions, 3 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php
index a6ad70a7f4b..66e39bb0715 100644
--- a/apps/files_sharing/lib/Controller/ShareAPIController.php
+++ b/apps/files_sharing/lib/Controller/ShareAPIController.php
@@ -975,10 +975,20 @@ class ShareAPIController extends OCSController {
}
if ($permissions !== null && $share->getShareOwner() !== $this->currentUser) {
+
+ // Get the root mount point for the user and check the share permissions there
+ $userFolder = $this->rootFolder->getUserFolder($this->currentUser);
+ $userNodes = $userFolder->getById($share->getNodeId());
+ $userNode = array_shift($userNodes);
+
+ $userMountPointId = $userNode->getMountPoint()->getStorageRootId();
+ $userMountPoints = $userFolder->getById($userMountPointId);
+ $userMountPoint = array_shift($userMountPoints);
+
/* Check if this is an incoming share */
- $incomingShares = $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_USER, $share->getNode(), -1, 0);
- $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_GROUP, $share->getNode(), -1, 0));
- $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_ROOM, $share->getNode(), -1, 0));
+ $incomingShares = $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_USER, $userMountPoint, -1, 0);
+ $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_GROUP, $userMountPoint, -1, 0));
+ $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_ROOM, $userMountPoint, -1, 0));
/** @var \OCP\Share\IShare[] $incomingShares */
if (!empty($incomingShares)) {