summaryrefslogtreecommitdiffstats
path: root/apps/dav
diff options
context:
space:
mode:
Diffstat (limited to 'apps/dav')
-rw-r--r--apps/dav/appinfo/v1/publicwebdav.php5
-rw-r--r--apps/dav/lib/Connector/Sabre/ObjectTree.php32
-rw-r--r--apps/dav/tests/travis/caldav/script.sh2
-rw-r--r--apps/dav/tests/travis/carddav/script.sh2
-rw-r--r--apps/dav/tests/unit/CardDAV/CardDavBackendTest.php1
-rw-r--r--apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php20
6 files changed, 57 insertions, 5 deletions
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php
index 07004f43bd7..261a4d4b96d 100644
--- a/apps/dav/appinfo/v1/publicwebdav.php
+++ b/apps/dav/appinfo/v1/publicwebdav.php
@@ -66,8 +66,13 @@ $server = $serverFactory->createServer($baseuri, $requestUri, $authBackend, func
$share = $authBackend->getShare();
$owner = $share->getShareOwner();
+ $isReadable = $share->getPermissions() & \OCP\Constants::PERMISSION_READ;
$fileId = $share->getNodeId();
+ if (!$isReadable) {
+ return false;
+ }
+
\OC\Files\Filesystem::addStorageWrapper('sharePermissions', function ($mountPoint, $storage) use ($share) {
return new \OC\Files\Storage\Wrapper\PermissionsMask(array('storage' => $storage, 'mask' => $share->getPermissions() | \OCP\Constants::PERMISSION_SHARE));
});
diff --git a/apps/dav/lib/Connector/Sabre/ObjectTree.php b/apps/dav/lib/Connector/Sabre/ObjectTree.php
index 9e7d876187d..d8c1d71e7f1 100644
--- a/apps/dav/lib/Connector/Sabre/ObjectTree.php
+++ b/apps/dav/lib/Connector/Sabre/ObjectTree.php
@@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree {
* is present.
*
* @param string $path chunk file path to convert
- *
+ *
* @return string path to real file
*/
private function resolveChunkFile($path) {
@@ -186,9 +186,13 @@ class ObjectTree extends \Sabre\DAV\Tree {
*
* @param string $sourcePath The path to the file which should be moved
* @param string $destinationPath The full destination path, so not just the destination parent node
- * @throws \Sabre\DAV\Exception\BadRequest
- * @throws \Sabre\DAV\Exception\ServiceUnavailable
+ * @throws FileLocked
+ * @throws Forbidden
+ * @throws InvalidPath
* @throws \Sabre\DAV\Exception\Forbidden
+ * @throws \Sabre\DAV\Exception\Locked
+ * @throws \Sabre\DAV\Exception\NotFound
+ * @throws \Sabre\DAV\Exception\ServiceUnavailable
* @return int
*/
public function move($sourcePath, $destinationPath) {
@@ -196,6 +200,15 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
+ $infoDestination = $this->fileView->getFileInfo(dirname($destinationPath));
+ $infoSource = $this->fileView->getFileInfo($sourcePath);
+ $destinationPermission = $infoDestination && $infoDestination->isUpdateable();
+ $sourcePermission = $infoSource && $infoSource->isDeletable();
+
+ if (!$destinationPermission || !$sourcePermission) {
+ throw new Forbidden('No permissions to move object.');
+ }
+
$targetNodeExists = $this->nodeExists($destinationPath);
$sourceNode = $this->getNodeForPath($sourcePath);
if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) {
@@ -265,6 +278,13 @@ class ObjectTree extends \Sabre\DAV\Tree {
*
* @param string $source
* @param string $destination
+ * @throws FileLocked
+ * @throws Forbidden
+ * @throws InvalidPath
+ * @throws \Exception
+ * @throws \Sabre\DAV\Exception\Forbidden
+ * @throws \Sabre\DAV\Exception\Locked
+ * @throws \Sabre\DAV\Exception\NotFound
* @throws \Sabre\DAV\Exception\ServiceUnavailable
* @return void
*/
@@ -273,6 +293,12 @@ class ObjectTree extends \Sabre\DAV\Tree {
throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup');
}
+
+ $info = $this->fileView->getFileInfo(dirname($destination));
+ if ($info && !$info->isUpdateable()) {
+ throw new Forbidden('No permissions to copy object.');
+ }
+
// this will trigger existence check
$this->getNodeForPath($source);
diff --git a/apps/dav/tests/travis/caldav/script.sh b/apps/dav/tests/travis/caldav/script.sh
index 7259372567c..636235349c5 100644
--- a/apps/dav/tests/travis/caldav/script.sh
+++ b/apps/dav/tests/travis/caldav/script.sh
@@ -16,6 +16,6 @@ PYTHONPATH="$SCRIPTPATH/pycalendar/src" python testcaldav.py --print-details-onf
RESULT=$?
-tail "$/../../../../../data-autotest/owncloud.log"
+tail "$/../../../../../data-autotest/nextcloud.log"
exit $RESULT
diff --git a/apps/dav/tests/travis/carddav/script.sh b/apps/dav/tests/travis/carddav/script.sh
index a8bd9f11b38..ecdc0f95863 100644
--- a/apps/dav/tests/travis/carddav/script.sh
+++ b/apps/dav/tests/travis/carddav/script.sh
@@ -17,6 +17,6 @@ PYTHONPATH="$SCRIPTPATH/pycalendar/src" python testcaldav.py --print-details-onf
RESULT=$?
-tail "$/../../../../../data-autotest/owncloud.log"
+tail "$/../../../../../data-autotest/nextcloud.log"
exit $RESULT
diff --git a/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php b/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php
index 203d4512a47..9845d2d6909 100644
--- a/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php
+++ b/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php
@@ -608,6 +608,7 @@ class CardDavBackendTest extends TestCase {
$this->assertSame(120, (int)$result['size']);
// this shouldn't return any result because 'uri1' is in address book 1
+ // see https://github.com/nextcloud/server/issues/229
$result = $this->backend->getContact(0, 'uri1');
$this->assertEmpty($result);
}
diff --git a/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php b/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php
index 4a5e43376c0..96d4357660e 100644
--- a/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php
+++ b/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php
@@ -35,6 +35,7 @@ class TestDoubleFileView extends \OC\Files\View {
$this->updatables = $updatables;
$this->deletables = $deletables;
$this->canRename = $canRename;
+ $this->lockingProvider = \OC::$server->getLockingProvider();
}
public function isUpdatable($path) {
@@ -56,6 +57,11 @@ class TestDoubleFileView extends \OC\Files\View {
public function getRelativePath($path) {
return $path;
}
+
+ public function getFileInfo($path, $includeMountPoints = true) {
+ $objectTreeTest = new ObjectTreeTest();
+ return $objectTreeTest->getFileInfoMock();
+ }
}
/**
@@ -67,6 +73,20 @@ class TestDoubleFileView extends \OC\Files\View {
*/
class ObjectTreeTest extends \Test\TestCase {
+ public function getFileInfoMock() {
+ $mock = $this->getMock('\OCP\Files\FileInfo');
+ $mock
+ ->expects($this->any())
+ ->method('isDeletable')
+ ->willReturn(true);
+ $mock
+ ->expects($this->any())
+ ->method('isUpdateable')
+ ->willReturn(true);
+
+ return $mock;
+ }
+
/**
* @dataProvider moveFailedProvider
* @expectedException \Sabre\DAV\Exception\Forbidden