1 files changed, 42 insertions, 6 deletions

diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index e1263744e1b..12db682c1e2 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -1,17 +1,53 @@
 <?php
 
-// Init owncloud
-
-
 // Firefox and Konqueror tries to download application/json for me.  --Arthur
 OCP\JSON::setContentTypeHeader('text/plain');
 
-OCP\JSON::checkLoggedIn();
-OCP\JSON::callCheck();
+// If a directory token is sent along check if public upload is permitted.
+// If not, check the login.
+// If no token is sent along, rely on login only
+
 $l = OC_L10N::get('files');
+if (!$_POST['dirToken']) {
+  // The standard case, files are uploaded through logged in users :)
+  OCP\JSON::checkLoggedIn();
+  $dir = isset($_POST['dir']) ? $_POST['dir'] : "";
+  if (!$dir || empty($dir) || $dir === false) {
+    OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Unable to set upload directory.')))));
+    die();
+  }
+} else {
+  $linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
+
+  if ($linkItem === false) {
+    OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
+    die();
+  }
+
+  if (!($linkItem['permissions'] & OCP\PERMISSION_CREATE)) {
+    OCP\JSON::checkLoggedIn();
+  } else {
+
+    // The token defines the target directory (security reasons)
+    $dir = sprintf(
+      "/%s/%s",
+      $linkItem['file_target'],
+      isset($_POST['subdir']) ? $_POST['subdir'] : ''
+    );
+
+    if (!$dir || empty($dir) || $dir === false) {
+      OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Unable to set upload directory.')))));
+      die();
+    }
+    // Setup FS with owner
+    OC_Util::setupFS($linkItem['uid_owner']);
+  }
+}
+
+
+OCP\JSON::callCheck();
 
 
-$dir = $_POST['dir'];
 // get array with current storage stats (e.g. max file size)
 $storageStats = \OCA\files\lib\Helper::buildFileStorageStatistics($dir);