diff options
| author | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-08-02 12:34:19 +0200 |
|---|---|---|
| committer | Ferdinand Thiessen <opensource@fthiessen.de> | 2024-09-06 03:38:47 +0200 |
| commit | e93ceea804284800c1636e7ef199f40c1d33f0b3 (patch) | |
| tree | a9405dcb4c970ae712d9685762c009dbe7316566 /apps | |
| parent | a84de3c755b25bdff0a4131dd552eb78715dd131 (diff) | |
| download | nextcloud-server-e93ceea804284800c1636e7ef199f40c1d33f0b3.tar.gz nextcloud-server-e93ceea804284800c1636e7ef199f40c1d33f0b3.zip | |
fix(files): Do not allow copy action on public shares without `create` permission
Signed-off-by: Ferdinand Thiessen <opensource@fthiessen.de>
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/files/src/actions/moveOrCopyActionUtils.ts | 20 | ||||
| -rw-r--r-- | apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php | 1 |
2 files changed, 18 insertions, 3 deletions
diff --git a/apps/files/src/actions/moveOrCopyActionUtils.ts b/apps/files/src/actions/moveOrCopyActionUtils.ts index 0c7822390ac..0372e8f4bc7 100644 --- a/apps/files/src/actions/moveOrCopyActionUtils.ts +++ b/apps/files/src/actions/moveOrCopyActionUtils.ts @@ -7,7 +7,11 @@ import type { Folder, Node } from '@nextcloud/files' import type { ShareAttribute } from '../../../files_sharing/src/sharing' import { Permission } from '@nextcloud/files' +import { isPublicShare } from '@nextcloud/sharing/public' import PQueue from 'p-queue' +import { loadState } from '@nextcloud/initial-state' + +const sharePermissions = loadState<number>('files_sharing', 'sharePermissions', Permission.NONE) // This is the processing queue. We only want to allow 3 concurrent requests let queue: PQueue @@ -51,7 +55,17 @@ export const canDownload = (nodes: Node[]) => { export const canCopy = (nodes: Node[]) => { // a shared file cannot be copied if the download is disabled - // it can be copied if the user has at least read permissions - return canDownload(nodes) - && !nodes.some(node => node.permissions === Permission.NONE) + if (!canDownload(nodes)) { + return false + } + // it cannot be copied if the user has only view permissions + if (nodes.some((node) => node.permissions === Permission.NONE)) { + return false + } + // on public shares all files have the same permission so copy is only possible if write permission is granted + if (isPublicShare()) { + return Boolean(sharePermissions & Permission.CREATE) + } + // otherwise permission is granted + return true } diff --git a/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php b/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php index 4feaac82dc0..d505f38817c 100644 --- a/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php +++ b/apps/files_sharing/lib/DefaultPublicShareTemplateProvider.php @@ -91,6 +91,7 @@ class DefaultPublicShareTemplateProvider implements IPublicShareTemplateProvider // Set up initial state $this->initialState->provideInitialState('isPublic', true); $this->initialState->provideInitialState('sharingToken', $token); + $this->initialState->provideInitialState('sharePermissions', $share->getPermissions()); $this->initialState->provideInitialState('filename', $shareNode->getName()); $this->initialState->provideInitialState('view', $view); |