Set proper permissions on link share

If we do not allow public upload we should limit the permissions on
links shares upon retrieval.

* Added unit test
* Allow fetching federated shares by token as well

1 files changed, 19 insertions, 1 deletions

diff --git a/lib/private/Share20/Manager.php b/lib/private/Share20/Manager.php
index 6c665f7e133..be7257de36d 100644
--- a/lib/private/Share20/Manager.php
+++ b/lib/private/Share20/Manager.php
@@ -976,7 +976,17 @@ class Manager implements IManager {
 	public function getShareByToken($token) {
 		$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_LINK);
 
-		$share = $provider->getShareByToken($token);
+		try {
+			$share = $provider->getShareByToken($token);
+		} catch (ShareNotFound $e) {
+			//Ignore
+		}
+
+		// If it is not a link share try to fetch a federated share by token
+		if ($share === null) {
+			$provider = $this->factory->getProviderForType(\OCP\Share::SHARE_TYPE_REMOTE);
+			$share = $provider->getShareByToken($token);
+		}
 
 		if ($share->getExpirationDate() !== null &&
 			$share->getExpirationDate() <= new \DateTime()) {
@@ -984,6 +994,14 @@ class Manager implements IManager {
 			throw new ShareNotFound();
 		}
 
+		/*
+		 * Reduce the permissions for link shares if public upload is not enabled
+		 */
+		if ($share->getShareType() === \OCP\Share::SHARE_TYPE_LINK &&
+			!$this->shareApiLinkAllowPublicUpload()) {
+			$share->setPermissions($share->getPermissions() & ~(\OCP\Constants::PERMISSION_CREATE | \OCP\Constants::PERMISSION_UPDATE));
+		}
+
 		return $share;
 	}