add some additonal permission checks to the webdav backend

1 files changed, 16 insertions, 1 deletions

diff --git a/apps/dav/lib/Connector/Sabre/ObjectTree.php b/apps/dav/lib/Connector/Sabre/ObjectTree.php
index 9e7d876187d..07052e30301 100644
--- a/apps/dav/lib/Connector/Sabre/ObjectTree.php
+++ b/apps/dav/lib/Connector/Sabre/ObjectTree.php
@@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree {
 	 * is present.
 	 *
 	 * @param string $path chunk file path to convert
-	 * 
+	 *
 	 * @return string path to real file
 	 */
 	private function resolveChunkFile($path) {
@@ -196,6 +196,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
 			throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
 		}
 
+		$infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
+		$infoSource = $this->fileView->getFileInfo($sourcePath);
+		$destinationPermission = $infoDestination && $infoDestination->isUpdateable();
+		$sourcePermission =  $infoSource && $infoSource->isDeletable();
+
+		if (!$destinationPermission || !$sourcePermission) {
+			throw new Forbidden();
+		}
+
 		$targetNodeExists = $this->nodeExists($destinationPath);
 		$sourceNode = $this->getNodeForPath($sourcePath);
 		if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@@ -273,6 +282,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
 			throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
 		}
 
+
+		$info = $this->fileView->getFileInfo(dirname($destination));
+		if ($info && !$info->isUpdateable()) {
+			throw new Forbidden();
+		}
+
 		// this will trigger existence check
 		$this->getNodeForPath($source);