diff options
| author | Roeland Jago Douma <rullzer@owncloud.com> | 2015-10-06 15:36:54 +0200 |
|---|---|---|
| committer | Roeland Jago Douma <rullzer@owncloud.com> | 2015-10-07 11:58:16 +0200 |
| commit | 1ee56c702de8498bdc17bc7e93ff4c24c7b5590b (patch) | |
| tree | 9a09225eb2a94baadcf7f1cf2ff852c3441a517e /lib | |
| parent | cd818e7419fb39d97683ecc5803534b0ed632596 (diff) | |
| download | nextcloud-server-1ee56c702de8498bdc17bc7e93ff4c24c7b5590b.tar.gz nextcloud-server-1ee56c702de8498bdc17bc7e93ff4c24c7b5590b.zip | |
[WEBDAV] check if delete of source is allowed on move
Fixes #5251
If we perform a move we need to make sure first that the source can be
deleted. Else the dest might be cleared but the move will fail later.
* Added unit tests
Eventually we need more and better checking here.
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/connector/sabre/filesplugin.php | 32 | ||||
| -rw-r--r-- | lib/private/connector/sabre/serverfactory.php | 2 |
2 files changed, 32 insertions, 2 deletions
diff --git a/lib/private/connector/sabre/filesplugin.php b/lib/private/connector/sabre/filesplugin.php index 84620f454aa..ab7f6884a5e 100644 --- a/lib/private/connector/sabre/filesplugin.php +++ b/lib/private/connector/sabre/filesplugin.php @@ -64,10 +64,20 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin { private $isPublic; /** + * @var \OC\Files\View + */ + private $fileView; + + /** * @param \Sabre\DAV\Tree $tree + * @param \OC\Files\View $view + * @param bool $isPublic */ - public function __construct(\Sabre\DAV\Tree $tree, $isPublic = false) { + public function __construct(\Sabre\DAV\Tree $tree, + \OC\Files\View $view, + $isPublic = false) { $this->tree = $tree; + $this->fileView = $view; $this->isPublic = $isPublic; } @@ -106,6 +116,26 @@ class FilesPlugin extends \Sabre\DAV\ServerPlugin { fclose($body); } }); + $this->server->on('beforeMove', [$this, 'checkMove']); + } + + /** + * Plugin that checks if a move can actually be performed. + * @param string $source source path + * @param string $destination destination path + * @throws \Sabre\DAV\Exception\Forbidden + */ + function checkMove($source, $destination) { + list($sourceDir,) = \Sabre\HTTP\URLUtil::splitPath($source); + list($destinationDir,) = \Sabre\HTTP\URLUtil::splitPath($destination); + + if ($sourceDir !== $destinationDir) { + $sourceFileInfo = $this->fileView->getFileInfo($source); + + if (!$sourceFileInfo->isDeletable()) { + throw new \Sabre\DAV\Exception\Forbidden($source . " cannot be deleted"); + } + } } /** diff --git a/lib/private/connector/sabre/serverfactory.php b/lib/private/connector/sabre/serverfactory.php index a0c32c1da53..893e29fd41c 100644 --- a/lib/private/connector/sabre/serverfactory.php +++ b/lib/private/connector/sabre/serverfactory.php @@ -72,7 +72,6 @@ class ServerFactory { $server->addPlugin(new \Sabre\DAV\Auth\Plugin($authBackend, $defaults->getName())); // FIXME: The following line is a workaround for legacy components relying on being able to send a GET to / $server->addPlugin(new \OC\Connector\Sabre\DummyGetResponsePlugin()); - $server->addPlugin(new \OC\Connector\Sabre\FilesPlugin($objectTree)); $server->addPlugin(new \OC\Connector\Sabre\ExceptionLoggerPlugin('webdav', $this->logger)); $server->addPlugin(new \OC\Connector\Sabre\LockPlugin($objectTree)); $server->addPlugin(new \OC\Connector\Sabre\ListenerPlugin($this->dispatcher)); @@ -91,6 +90,7 @@ class ServerFactory { } $objectTree->init($root, $view, $this->mountManager); + $server->addPlugin(new \OC\Connector\Sabre\FilesPlugin($objectTree, $view)); $server->addPlugin(new \OC\Connector\Sabre\QuotaPlugin($view)); if($this->userSession->isLoggedIn()) { |