summaryrefslogtreecommitdiffstats
path: root/apps/files/ajax
diff options
context:
space:
mode:
Diffstat (limited to 'apps/files/ajax')
-rw-r--r--apps/files/ajax/upload.php9
1 files changed, 7 insertions, 2 deletions
diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 2c1be428e84..38c2a053a9e 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -7,6 +7,8 @@ OCP\JSON::setContentTypeHeader('text/plain');
// If not, check the login.
// If no token is sent along, rely on login only
+$allowedPermissions = OCP\PERMISSION_ALL;
+
$l = OC_L10N::get('files');
if (empty($_POST['dirToken'])) {
// The standard case, files are uploaded through logged in users :)
@@ -17,6 +19,9 @@ if (empty($_POST['dirToken'])) {
die();
}
} else {
+ // return only read permissions for public upload
+ $allowedPermissions = OCP\PERMISSION_READ;
+
$linkItem = OCP\Share::getShareByToken($_POST['dirToken']);
if ($linkItem === false) {
OCP\JSON::error(array('data' => array_merge(array('message' => $l->t('Invalid Token')))));
@@ -130,7 +135,7 @@ if (strpos($dir, '..') === false) {
'originalname' => $files['tmp_name'][$i],
'uploadMaxFilesize' => $maxUploadFileSize,
'maxHumanFilesize' => $maxHumanFileSize,
- 'permissions' => $meta['permissions'] & OCP\PERMISSION_READ
+ 'permissions' => $meta['permissions'] & $allowedPermissions
);
}
@@ -156,7 +161,7 @@ if (strpos($dir, '..') === false) {
'originalname' => $files['tmp_name'][$i],
'uploadMaxFilesize' => $maxUploadFileSize,
'maxHumanFilesize' => $maxHumanFileSize,
- 'permissions' => $meta['permissions'] & OCP\PERMISSION_READ
+ 'permissions' => $meta['permissions'] & $allowedPermissions
);
}
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-24 09:57:24 +0000