diff options
Diffstat (limited to 'apps/dav')
-rw-r--r-- | apps/dav/appinfo/v1/publicwebdav.php | 5 | ||||
-rw-r--r-- | apps/dav/lib/Connector/Sabre/ObjectTree.php | 32 | ||||
-rw-r--r-- | apps/dav/tests/travis/caldav/script.sh | 2 | ||||
-rw-r--r-- | apps/dav/tests/travis/carddav/script.sh | 2 | ||||
-rw-r--r-- | apps/dav/tests/unit/CardDAV/CardDavBackendTest.php | 1 | ||||
-rw-r--r-- | apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php | 20 |
6 files changed, 57 insertions, 5 deletions
diff --git a/apps/dav/appinfo/v1/publicwebdav.php b/apps/dav/appinfo/v1/publicwebdav.php index 07004f43bd7..261a4d4b96d 100644 --- a/apps/dav/appinfo/v1/publicwebdav.php +++ b/apps/dav/appinfo/v1/publicwebdav.php @@ -66,8 +66,13 @@ $server = $serverFactory->createServer($baseuri, $requestUri, $authBackend, func $share = $authBackend->getShare(); $owner = $share->getShareOwner(); + $isReadable = $share->getPermissions() & \OCP\Constants::PERMISSION_READ; $fileId = $share->getNodeId(); + if (!$isReadable) { + return false; + } + \OC\Files\Filesystem::addStorageWrapper('sharePermissions', function ($mountPoint, $storage) use ($share) { return new \OC\Files\Storage\Wrapper\PermissionsMask(array('storage' => $storage, 'mask' => $share->getPermissions() | \OCP\Constants::PERMISSION_SHARE)); }); diff --git a/apps/dav/lib/Connector/Sabre/ObjectTree.php b/apps/dav/lib/Connector/Sabre/ObjectTree.php index 9e7d876187d..d8c1d71e7f1 100644 --- a/apps/dav/lib/Connector/Sabre/ObjectTree.php +++ b/apps/dav/lib/Connector/Sabre/ObjectTree.php @@ -71,7 +71,7 @@ class ObjectTree extends \Sabre\DAV\Tree { * is present. * * @param string $path chunk file path to convert - * + * * @return string path to real file */ private function resolveChunkFile($path) { @@ -186,9 +186,13 @@ class ObjectTree extends \Sabre\DAV\Tree { * * @param string $sourcePath The path to the file which should be moved * @param string $destinationPath The full destination path, so not just the destination parent node - * @throws \Sabre\DAV\Exception\BadRequest - * @throws \Sabre\DAV\Exception\ServiceUnavailable + * @throws FileLocked + * @throws Forbidden + * @throws InvalidPath * @throws \Sabre\DAV\Exception\Forbidden + * @throws \Sabre\DAV\Exception\Locked + * @throws \Sabre\DAV\Exception\NotFound + * @throws \Sabre\DAV\Exception\ServiceUnavailable * @return int */ public function move($sourcePath, $destinationPath) { @@ -196,6 +200,15 @@ class ObjectTree extends \Sabre\DAV\Tree { throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); } + $infoDestination = $this->fileView->getFileInfo(dirname($destinationPath)); + $infoSource = $this->fileView->getFileInfo($sourcePath); + $destinationPermission = $infoDestination && $infoDestination->isUpdateable(); + $sourcePermission = $infoSource && $infoSource->isDeletable(); + + if (!$destinationPermission || !$sourcePermission) { + throw new Forbidden('No permissions to move object.'); + } + $targetNodeExists = $this->nodeExists($destinationPath); $sourceNode = $this->getNodeForPath($sourcePath); if ($sourceNode instanceof \Sabre\DAV\ICollection && $targetNodeExists) { @@ -265,6 +278,13 @@ class ObjectTree extends \Sabre\DAV\Tree { * * @param string $source * @param string $destination + * @throws FileLocked + * @throws Forbidden + * @throws InvalidPath + * @throws \Exception + * @throws \Sabre\DAV\Exception\Forbidden + * @throws \Sabre\DAV\Exception\Locked + * @throws \Sabre\DAV\Exception\NotFound * @throws \Sabre\DAV\Exception\ServiceUnavailable * @return void */ @@ -273,6 +293,12 @@ class ObjectTree extends \Sabre\DAV\Tree { throw new \Sabre\DAV\Exception\ServiceUnavailable('filesystem not setup'); } + + $info = $this->fileView->getFileInfo(dirname($destination)); + if ($info && !$info->isUpdateable()) { + throw new Forbidden('No permissions to copy object.'); + } + // this will trigger existence check $this->getNodeForPath($source); diff --git a/apps/dav/tests/travis/caldav/script.sh b/apps/dav/tests/travis/caldav/script.sh index 7259372567c..636235349c5 100644 --- a/apps/dav/tests/travis/caldav/script.sh +++ b/apps/dav/tests/travis/caldav/script.sh @@ -16,6 +16,6 @@ PYTHONPATH="$SCRIPTPATH/pycalendar/src" python testcaldav.py --print-details-onf RESULT=$? -tail "$/../../../../../data-autotest/owncloud.log" +tail "$/../../../../../data-autotest/nextcloud.log" exit $RESULT diff --git a/apps/dav/tests/travis/carddav/script.sh b/apps/dav/tests/travis/carddav/script.sh index a8bd9f11b38..ecdc0f95863 100644 --- a/apps/dav/tests/travis/carddav/script.sh +++ b/apps/dav/tests/travis/carddav/script.sh @@ -17,6 +17,6 @@ PYTHONPATH="$SCRIPTPATH/pycalendar/src" python testcaldav.py --print-details-onf RESULT=$? -tail "$/../../../../../data-autotest/owncloud.log" +tail "$/../../../../../data-autotest/nextcloud.log" exit $RESULT diff --git a/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php b/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php index 203d4512a47..9845d2d6909 100644 --- a/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php +++ b/apps/dav/tests/unit/CardDAV/CardDavBackendTest.php @@ -608,6 +608,7 @@ class CardDavBackendTest extends TestCase { $this->assertSame(120, (int)$result['size']); // this shouldn't return any result because 'uri1' is in address book 1 + // see https://github.com/nextcloud/server/issues/229 $result = $this->backend->getContact(0, 'uri1'); $this->assertEmpty($result); } diff --git a/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php b/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php index 4a5e43376c0..96d4357660e 100644 --- a/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php +++ b/apps/dav/tests/unit/Connector/Sabre/ObjectTreeTest.php @@ -35,6 +35,7 @@ class TestDoubleFileView extends \OC\Files\View { $this->updatables = $updatables; $this->deletables = $deletables; $this->canRename = $canRename; + $this->lockingProvider = \OC::$server->getLockingProvider(); } public function isUpdatable($path) { @@ -56,6 +57,11 @@ class TestDoubleFileView extends \OC\Files\View { public function getRelativePath($path) { return $path; } + + public function getFileInfo($path, $includeMountPoints = true) { + $objectTreeTest = new ObjectTreeTest(); + return $objectTreeTest->getFileInfoMock(); + } } /** @@ -67,6 +73,20 @@ class TestDoubleFileView extends \OC\Files\View { */ class ObjectTreeTest extends \Test\TestCase { + public function getFileInfoMock() { + $mock = $this->getMock('\OCP\Files\FileInfo'); + $mock + ->expects($this->any()) + ->method('isDeletable') + ->willReturn(true); + $mock + ->expects($this->any()) + ->method('isUpdateable') + ->willReturn(true); + + return $mock; + } + /** * @dataProvider moveFailedProvider * @expectedException \Sabre\DAV\Exception\Forbidden |