summaryrefslogtreecommitdiffstats
path: root/lib/private
diff options
context:
space:
mode:
authorLukas Reschke <lukas@owncloud.com>2016-06-27 18:23:00 +0200
committerLukas Reschke <lukas@owncloud.com>2016-06-27 18:23:00 +0200
commit6670d3765881a1a7579bd96a523a90c2a52aec4a (patch)
tree4251976f5699d7b9e0b1b0aa42b3a5baca5432b5 /lib/private
parentcee2f5dc65f743e0e6470e852978d8bb8e346012 (diff)
parentf8fa031e9f81ba052930d2de647d997af3c309c6 (diff)
downloadnextcloud-server-6670d3765881a1a7579bd96a523a90c2a52aec4a.tar.gz
nextcloud-server-6670d3765881a1a7579bd96a523a90c2a52aec4a.zip
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
Diffstat (limited to 'lib/private')
-rw-r--r--lib/private/IntegrityCheck/Checker.php15
-rw-r--r--lib/private/Repair/RepairInvalidShares.php23
-rw-r--r--lib/private/Share20/Manager.php7
-rw-r--r--lib/private/User/Session.php13
4 files changed, 47 insertions, 11 deletions
diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php
index ab68f752206..57127f280c4 100644
--- a/lib/private/IntegrityCheck/Checker.php
+++ b/lib/private/IntegrityCheck/Checker.php
@@ -108,7 +108,11 @@ class Checker {
* applicable for very specific scenarios and we should not advertise it
* too prominent. So please do not add it to config.sample.php.
*/
- $isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
+ if ($this->config !== null) {
+ $isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false);
+ } else {
+ $isIntegrityCheckDisabled = false;
+ }
if($isIntegrityCheckDisabled === true) {
return false;
}
@@ -401,7 +405,10 @@ class Checker {
return json_decode($cachedResults, true);
}
- return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
+ if ($this->config !== null) {
+ return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true);
+ }
+ return [];
}
/**
@@ -416,7 +423,9 @@ class Checker {
if(!empty($result)) {
$resultArray[$scope] = $result;
}
- $this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
+ if ($this->config !== null) {
+ $this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray));
+ }
$this->cache->set(self::CACHE_KEY, json_encode($resultArray));
}
diff --git a/lib/private/Repair/RepairInvalidShares.php b/lib/private/Repair/RepairInvalidShares.php
index 30f67a1f394..728632486d0 100644
--- a/lib/private/Repair/RepairInvalidShares.php
+++ b/lib/private/Repair/RepairInvalidShares.php
@@ -72,6 +72,25 @@ class RepairInvalidShares implements IRepairStep {
}
/**
+ * In the past link shares with public upload enabled were missing the delete permission.
+ */
+ private function addShareLinkDeletePermission(IOutput $out) {
+ $oldPerms = \OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE;
+ $newPerms = \OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_DELETE;
+ $builder = $this->connection->getQueryBuilder();
+ $builder
+ ->update('share')
+ ->set('permissions', $builder->expr()->literal($newPerms))
+ ->where($builder->expr()->eq('share_type', $builder->expr()->literal(\OC\Share\Constants::SHARE_TYPE_LINK)))
+ ->andWhere($builder->expr()->eq('permissions', $builder->expr()->literal($oldPerms)));
+
+ $updatedEntries = $builder->execute();
+ if ($updatedEntries > 0) {
+ $out->info('Fixed link share permissions for ' . $updatedEntries . ' shares');
+ }
+ }
+
+ /**
* Remove shares where the parent share does not exist anymore
*/
private function removeSharesNonExistingParent(IOutput $out) {
@@ -113,6 +132,10 @@ class RepairInvalidShares implements IRepairStep {
// this situation was only possible before 8.2
$this->removeExpirationDateFromNonLinkShares($out);
}
+ if (version_compare($ocVersionFromBeforeUpdate, '9.1.0.9', '<')) {
+ // this situation was only possible before 9.1
+ $this->addShareLinkDeletePermission($out);
+ }
$this->removeSharesNonExistingParent($out);
}
diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
index 478643e939b..9383255bc73 100644
--- a/lib/private/Share20/Manager.php
+++ b/lib/private/Share20/Manager.php
@@ -452,14 +452,9 @@ class Manager implements IManager {
throw new \InvalidArgumentException('Link shares can\'t have reshare permissions');
}
- // We don't allow deletion on link shares
- if ($share->getPermissions() & \OCP\Constants::PERMISSION_DELETE) {
- throw new \InvalidArgumentException('Link shares can\'t have delete permissions');
- }
-
// Check if public upload is allowed
if (!$this->shareApiLinkAllowPublicUpload() &&
- ($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE))) {
+ ($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_DELETE))) {
throw new \InvalidArgumentException('Public upload not allowed');
}
}
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
index 2b65f31af28..6219a89e5b3 100644
--- a/lib/private/User/Session.php
+++ b/lib/private/User/Session.php
@@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter {
*/
public function login($uid, $password) {
$this->session->regenerateId();
- if ($this->validateToken($password)) {
+ if ($this->validateToken($password, $uid)) {
// When logging in with token, the password must be decrypted first before passing to login hook
try {
$token = $this->tokenProvider->getToken($password);
@@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter {
* Invalidates the token if checks fail
*
* @param string $token
+ * @param string $user login name
* @return boolean
*/
- private function validateToken($token) {
+ private function validateToken($token, $user = null) {
try {
$dbToken = $this->tokenProvider->getToken($token);
} catch (InvalidTokenException $ex) {
return false;
}
+ // Check if login names match
+ if (!is_null($user) && $dbToken->getLoginName() !== $user) {
+ // TODO: this makes it imposssible to use different login names on browser and client
+ // e.g. login by e-mail 'user@example.com' on browser for generating the token will not
+ // allow to use the client token with the login name 'user'.
+ return false;
+ }
+
if (!$this->checkTokenCredentials($dbToken, $token)) {
return false;
}