diff options
author | Lukas Reschke <lukas@owncloud.com> | 2016-06-27 18:23:00 +0200 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2016-06-27 18:23:00 +0200 |
commit | 6670d3765881a1a7579bd96a523a90c2a52aec4a (patch) | |
tree | 4251976f5699d7b9e0b1b0aa42b3a5baca5432b5 /lib/private | |
parent | cee2f5dc65f743e0e6470e852978d8bb8e346012 (diff) | |
parent | f8fa031e9f81ba052930d2de647d997af3c309c6 (diff) | |
download | nextcloud-server-6670d3765881a1a7579bd96a523a90c2a52aec4a.tar.gz nextcloud-server-6670d3765881a1a7579bd96a523a90c2a52aec4a.zip |
Merge remote-tracking branch 'upstream/master' into master-sync-upstream
Diffstat (limited to 'lib/private')
-rw-r--r-- | lib/private/IntegrityCheck/Checker.php | 15 | ||||
-rw-r--r-- | lib/private/Repair/RepairInvalidShares.php | 23 | ||||
-rw-r--r-- | lib/private/Share20/Manager.php | 7 | ||||
-rw-r--r-- | lib/private/User/Session.php | 13 |
4 files changed, 47 insertions, 11 deletions
diff --git a/lib/private/IntegrityCheck/Checker.php b/lib/private/IntegrityCheck/Checker.php index ab68f752206..57127f280c4 100644 --- a/lib/private/IntegrityCheck/Checker.php +++ b/lib/private/IntegrityCheck/Checker.php @@ -108,7 +108,11 @@ class Checker { * applicable for very specific scenarios and we should not advertise it * too prominent. So please do not add it to config.sample.php. */ - $isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false); + if ($this->config !== null) { + $isIntegrityCheckDisabled = $this->config->getSystemValue('integrity.check.disabled', false); + } else { + $isIntegrityCheckDisabled = false; + } if($isIntegrityCheckDisabled === true) { return false; } @@ -401,7 +405,10 @@ class Checker { return json_decode($cachedResults, true); } - return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true); + if ($this->config !== null) { + return json_decode($this->config->getAppValue('core', self::CACHE_KEY, '{}'), true); + } + return []; } /** @@ -416,7 +423,9 @@ class Checker { if(!empty($result)) { $resultArray[$scope] = $result; } - $this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray)); + if ($this->config !== null) { + $this->config->setAppValue('core', self::CACHE_KEY, json_encode($resultArray)); + } $this->cache->set(self::CACHE_KEY, json_encode($resultArray)); } diff --git a/lib/private/Repair/RepairInvalidShares.php b/lib/private/Repair/RepairInvalidShares.php index 30f67a1f394..728632486d0 100644 --- a/lib/private/Repair/RepairInvalidShares.php +++ b/lib/private/Repair/RepairInvalidShares.php @@ -72,6 +72,25 @@ class RepairInvalidShares implements IRepairStep { } /** + * In the past link shares with public upload enabled were missing the delete permission. + */ + private function addShareLinkDeletePermission(IOutput $out) { + $oldPerms = \OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE; + $newPerms = \OCP\Constants::PERMISSION_READ | \OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_DELETE; + $builder = $this->connection->getQueryBuilder(); + $builder + ->update('share') + ->set('permissions', $builder->expr()->literal($newPerms)) + ->where($builder->expr()->eq('share_type', $builder->expr()->literal(\OC\Share\Constants::SHARE_TYPE_LINK))) + ->andWhere($builder->expr()->eq('permissions', $builder->expr()->literal($oldPerms))); + + $updatedEntries = $builder->execute(); + if ($updatedEntries > 0) { + $out->info('Fixed link share permissions for ' . $updatedEntries . ' shares'); + } + } + + /** * Remove shares where the parent share does not exist anymore */ private function removeSharesNonExistingParent(IOutput $out) { @@ -113,6 +132,10 @@ class RepairInvalidShares implements IRepairStep { // this situation was only possible before 8.2 $this->removeExpirationDateFromNonLinkShares($out); } + if (version_compare($ocVersionFromBeforeUpdate, '9.1.0.9', '<')) { + // this situation was only possible before 9.1 + $this->addShareLinkDeletePermission($out); + } $this->removeSharesNonExistingParent($out); } diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php index 478643e939b..9383255bc73 100644 --- a/lib/private/Share20/Manager.php +++ b/lib/private/Share20/Manager.php @@ -452,14 +452,9 @@ class Manager implements IManager { throw new \InvalidArgumentException('Link shares can\'t have reshare permissions'); } - // We don't allow deletion on link shares - if ($share->getPermissions() & \OCP\Constants::PERMISSION_DELETE) { - throw new \InvalidArgumentException('Link shares can\'t have delete permissions'); - } - // Check if public upload is allowed if (!$this->shareApiLinkAllowPublicUpload() && - ($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE))) { + ($share->getPermissions() & (\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE | \OCP\Constants::PERMISSION_DELETE))) { throw new \InvalidArgumentException('Public upload not allowed'); } } diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php index 2b65f31af28..6219a89e5b3 100644 --- a/lib/private/User/Session.php +++ b/lib/private/User/Session.php @@ -280,7 +280,7 @@ class Session implements IUserSession, Emitter { */ public function login($uid, $password) { $this->session->regenerateId(); - if ($this->validateToken($password)) { + if ($this->validateToken($password, $uid)) { // When logging in with token, the password must be decrypted first before passing to login hook try { $token = $this->tokenProvider->getToken($password); @@ -584,15 +584,24 @@ class Session implements IUserSession, Emitter { * Invalidates the token if checks fail * * @param string $token + * @param string $user login name * @return boolean */ - private function validateToken($token) { + private function validateToken($token, $user = null) { try { $dbToken = $this->tokenProvider->getToken($token); } catch (InvalidTokenException $ex) { return false; } + // Check if login names match + if (!is_null($user) && $dbToken->getLoginName() !== $user) { + // TODO: this makes it imposssible to use different login names on browser and client + // e.g. login by e-mail 'user@example.com' on browser for generating the token will not + // allow to use the client token with the login name 'user'. + return false; + } + if (!$this->checkTokenCredentials($dbToken, $token)) { return false; } |