Prevent objectstore being set from client side

2 files changed, 16 insertions, 2 deletions

diff --git a/apps/files_external/controller/storagescontroller.php b/apps/files_external/controller/storagescontroller.php
index 3d91af8bd8f..613f22c0331 100644
--- a/apps/files_external/controller/storagescontroller.php
+++ b/apps/files_external/controller/storagescontroller.php
@@ -138,6 +138,16 @@ abstract class StoragesController extends Controller {
 			);
 		}
 
+		if ($storage->getBackendOption('objectstore')) {
+			// objectstore must not be sent from client side
+			return new DataResponse(
+				array(
+					'message' => (string)$this->l10n->t('Objectstore forbidden')
+				),
+				Http::STATUS_UNPROCESSABLE_ENTITY
+			);
+		}
+
 		/** @var Backend */
 		$backend = $storage->getBackend();
 		/** @var AuthMechanism */
diff --git a/apps/files_external/service/storagesservice.php b/apps/files_external/service/storagesservice.php
index 3e2152741e5..947e544d88f 100644
--- a/apps/files_external/service/storagesservice.php
+++ b/apps/files_external/service/storagesservice.php
@@ -472,10 +472,14 @@ abstract class StoragesService {
 		if (!isset($allStorages[$id])) {
 			throw new NotFoundException('Storage with id "' . $id . '" not found');
 		}
-
 		$oldStorage = $allStorages[$id];
-		$allStorages[$id] = $updatedStorage;
 
+		// ensure objectstore is persistent
+		if ($objectstore = $oldStorage->getBackendOption('objectstore')) {
+			$updatedStorage->setBackendOption('objectstore', $objectstore);
+		}
+
+		$allStorages[$id] = $updatedStorage;
 		$this->writeConfig($allStorages);
 
 		$this->triggerChangeHooks($oldStorage, $updatedStorage);