diff options
| author | Joas Schilling <coding@schilljs.com> | 2019-06-21 09:22:06 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <roeland@famdouma.nl> | 2019-06-27 15:27:30 +0200 |
| commit | 7aa26b28a8bd171b5dfd2f28980247b0882f2f71 (patch) | |
| tree | 895ec6a90c169aa9fdaaa5aa69ba45b05da0b712 /apps | |
| parent | c63f1d8d39f0ccae4483c6c37a1ecf7fa9040b81 (diff) | |
| download | nextcloud-server-7aa26b28a8bd171b5dfd2f28980247b0882f2f71.tar.gz nextcloud-server-7aa26b28a8bd171b5dfd2f28980247b0882f2f71.zip | |
Correctly check share permissions when updating a re-sub-share
Before this change the node you shared was checked for permissions.
This works when you reshare the folder that was shared with you.
However when you reshared a subfolder (e.g. as public link),
you could afterwards update the permissions and grant
create+update permissions although the share you receive was read-only.
Signed-off-by: Joas Schilling <coding@schilljs.com>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/files_sharing/lib/Controller/ShareAPIController.php | 16 |
1 files changed, 13 insertions, 3 deletions
diff --git a/apps/files_sharing/lib/Controller/ShareAPIController.php b/apps/files_sharing/lib/Controller/ShareAPIController.php index a6ad70a7f4b..66e39bb0715 100644 --- a/apps/files_sharing/lib/Controller/ShareAPIController.php +++ b/apps/files_sharing/lib/Controller/ShareAPIController.php @@ -975,10 +975,20 @@ class ShareAPIController extends OCSController { } if ($permissions !== null && $share->getShareOwner() !== $this->currentUser) { + + // Get the root mount point for the user and check the share permissions there + $userFolder = $this->rootFolder->getUserFolder($this->currentUser); + $userNodes = $userFolder->getById($share->getNodeId()); + $userNode = array_shift($userNodes); + + $userMountPointId = $userNode->getMountPoint()->getStorageRootId(); + $userMountPoints = $userFolder->getById($userMountPointId); + $userMountPoint = array_shift($userMountPoints); + /* Check if this is an incoming share */ - $incomingShares = $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_USER, $share->getNode(), -1, 0); - $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_GROUP, $share->getNode(), -1, 0)); - $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_ROOM, $share->getNode(), -1, 0)); + $incomingShares = $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_USER, $userMountPoint, -1, 0); + $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_GROUP, $userMountPoint, -1, 0)); + $incomingShares = array_merge($incomingShares, $this->shareManager->getSharedWith($this->currentUser, Share::SHARE_TYPE_ROOM, $userMountPoint, -1, 0)); /** @var \OCP\Share\IShare[] $incomingShares */ if (!empty($incomingShares)) { |