summaryrefslogtreecommitdiffstats
path: root/apps/files_sharing/ajax
diff options
context:
space:
mode:
Diffstat (limited to 'apps/files_sharing/ajax')
-rw-r--r--apps/files_sharing/ajax/publicpreview.php7
-rw-r--r--apps/files_sharing/ajax/shareinfo.php5
2 files changed, 12 insertions, 0 deletions
diff --git a/apps/files_sharing/ajax/publicpreview.php b/apps/files_sharing/ajax/publicpreview.php
index 5999740af31..c02d475a769 100644
--- a/apps/files_sharing/ajax/publicpreview.php
+++ b/apps/files_sharing/ajax/publicpreview.php
@@ -42,6 +42,13 @@ if($token === ''){
}
$linkedItem = \OCP\Share::getShareByToken($token);
+$shareManager = \OC::$server->getShareManager();
+$share = $shareManager->getShareByToken($token);
+if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+ OCP\JSON::error(array('data' => 'Share is not readable.'));
+ exit();
+}
+
if($linkedItem === false || ($linkedItem['item_type'] !== 'file' && $linkedItem['item_type'] !== 'folder')) {
\OC_Response::setStatus(\OC_Response::STATUS_NOT_FOUND);
\OCP\Util::writeLog('core-preview', 'Passed token parameter is not valid', \OCP\Util::DEBUG);
diff --git a/apps/files_sharing/ajax/shareinfo.php b/apps/files_sharing/ajax/shareinfo.php
index acf58a2431a..002d7ab275e 100644
--- a/apps/files_sharing/ajax/shareinfo.php
+++ b/apps/files_sharing/ajax/shareinfo.php
@@ -71,6 +71,11 @@ $shareManager = \OC::$server->getShareManager();
$share = $shareManager->getShareByToken($token);
$sharePermissions= (int)$share->getPermissions();
+if(!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+ OCP\JSON::error(array('data' => 'Share is not readable.'));
+ exit();
+}
+
/**
* @param \OCP\Files\FileInfo $dir
* @param \OC\Files\View $view
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-29 13:15:40 +0000