diff options
| author | Morris Jobke <hey@morrisjobke.de> | 2015-03-27 09:59:12 +0100 |
|---|---|---|
| committer | Morris Jobke <hey@morrisjobke.de> | 2015-03-27 09:59:12 +0100 |
| commit | a538f14b4a8af3067c02c0fdcb3fcecac8c91f0e (patch) | |
| tree | 9862506f3141e6dbe40c9fffb439e6c5267a55c6 /lib | |
| parent | baa2e4f99558a49c0237a50cc548ae5b8a787ba4 (diff) | |
| parent | 48ceaa9502a211b80881fe0fae431af12fcbc7a3 (diff) | |
| download | nextcloud-server-a538f14b4a8af3067c02c0fdcb3fcecac8c91f0e.tar.gz nextcloud-server-a538f14b4a8af3067c02c0fdcb3fcecac8c91f0e.zip | |
Merge pull request #15246 from owncloud/stable8-share-partfilepermissions
[stable8] Fix share permission checks
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/private/connector/sabre/objecttree.php | 21 |
1 files changed, 15 insertions, 6 deletions
diff --git a/lib/private/connector/sabre/objecttree.php b/lib/private/connector/sabre/objecttree.php index 3422ed2d575..11b0abf3bfc 100644 --- a/lib/private/connector/sabre/objecttree.php +++ b/lib/private/connector/sabre/objecttree.php @@ -126,8 +126,9 @@ class ObjectTree extends \Sabre\DAV\ObjectTree { throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); } + $targetNodeExists = $this->nodeExists($destinationPath); $sourceNode = $this->getNodeForPath($sourcePath); - if ($sourceNode instanceof \Sabre\DAV\ICollection and $this->nodeExists($destinationPath)) { + if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) { throw new \Sabre\DAV\Exception\Forbidden('Could not copy directory ' . $sourceNode . ', target exists'); } list($sourceDir,) = \Sabre\DAV\URLUtil::splitPath($sourcePath); @@ -141,14 +142,22 @@ class ObjectTree extends \Sabre\DAV\ObjectTree { } try { - // check update privileges - if (!$this->fileView->isUpdatable($sourcePath) && !$isMovableMount) { - throw new \Sabre\DAV\Exception\Forbidden(); - } - if ($sourceDir !== $destinationDir) { + $sameFolder = ($sourceDir === $destinationDir); + // if we're overwriting or same folder + if ($targetNodeExists || $sameFolder) { + // note that renaming a share mount point is always allowed + if (!$this->fileView->isUpdatable($destinationDir) && !$isMovableMount) { + throw new \Sabre\DAV\Exception\Forbidden(); + } + } else { if (!$this->fileView->isCreatable($destinationDir)) { throw new \Sabre\DAV\Exception\Forbidden(); } + } + + if (!$sameFolder) { + // moving to a different folder, source will be gone, like a deletion + // note that moving a share mount point is always allowed if (!$this->fileView->isDeletable($sourcePath) && !$isMovableMount) { throw new \Sabre\DAV\Exception\Forbidden(); } |