summaryrefslogtreecommitdiffstats
path: root/apps
diff options
context:
space:
mode:
Diffstat (limited to 'apps')
-rw-r--r--apps/files_sharing/api/local.php9
-rw-r--r--apps/files_sharing/tests/api.php71
2 files changed, 79 insertions, 1 deletions
diff --git a/apps/files_sharing/api/local.php b/apps/files_sharing/api/local.php
index d9291c29f61..87a8fbbb21f 100644
--- a/apps/files_sharing/api/local.php
+++ b/apps/files_sharing/api/local.php
@@ -276,6 +276,10 @@ class Local {
return new \OC_OCS_Result(null, 400, "unknown share type");
}
+ if (($permissions & \OCP\Constants::PERMISSION_READ) === 0) {
+ return new \OC_OCS_Result(null, 400, 'invalid permissions');
+ }
+
try {
$token = \OCP\Share::shareItem(
$itemType,
@@ -347,7 +351,6 @@ class Local {
}
return new \OC_OCS_Result(null, 400, "Wrong or no update parameter given");
-
}
/**
@@ -376,6 +379,10 @@ class Local {
}
}
+ if (($permissions & \OCP\Constants::PERMISSION_READ) === 0) {
+ return new \OC_OCS_Result(null, 400, 'invalid permissions');
+ }
+
try {
$return = \OCP\Share::setPermissions(
$itemType,
diff --git a/apps/files_sharing/tests/api.php b/apps/files_sharing/tests/api.php
index 278e7130199..9256f9bcc85 100644
--- a/apps/files_sharing/tests/api.php
+++ b/apps/files_sharing/tests/api.php
@@ -119,6 +119,32 @@ class Test_Files_Sharing_Api extends TestCase {
\OCP\Share::unshare('folder', $fileinfo['fileid'], \OCP\Share::SHARE_TYPE_LINK, null);
}
+ /**
+ * @medium
+ */
+ public function testCreateShareInvalidPermissions() {
+
+ // simulate a post request
+ $_POST['path'] = $this->filename;
+ $_POST['shareWith'] = \Test_Files_Sharing_Api::TEST_FILES_SHARING_API_USER2;
+ $_POST['shareType'] = \OCP\Share::SHARE_TYPE_USER;
+ $_POST['permissions'] = \OCP\Constants::PERMISSION_SHARE;
+
+ $result = \OCA\Files_Sharing\API\Local::createShare([]);
+
+ // share was successful?
+ $this->assertFalse($result->succeeded());
+ $this->assertEquals(400, $result->getStatusCode());
+
+ $shares = \OCP\Share::getItemShared('file', null);
+ $this->assertCount(0, $shares);
+
+ $fileinfo = $this->view->getFileInfo($this->filename);
+ \OCP\Share::unshare('file', $fileinfo['fileid'], \OCP\Share::SHARE_TYPE_USER,
+ \Test_Files_Sharing_Api::TEST_FILES_SHARING_API_USER2);
+ }
+
+
function testEnfoceLinkPassword() {
$appConfig = \OC::$server->getAppConfig();
@@ -885,6 +911,51 @@ class Test_Files_Sharing_Api extends TestCase {
/**
* @medium
+ * @depends testCreateShare
+ */
+ public function testUpdateShareInvalidPermissions() {
+
+ $fileInfo = $this->view->getFileInfo($this->filename);
+
+ $result = \OCP\Share::shareItem('file', $fileInfo['fileid'], \OCP\Share::SHARE_TYPE_USER,
+ \Test_Files_Sharing_Api::TEST_FILES_SHARING_API_USER2, \OCP\Constants::PERMISSION_ALL);
+
+ // share was successful?
+ $this->assertTrue($result);
+
+ $share = \OCP\Share::getItemShared('file', null);
+ $this->assertCount(1, $share);
+ $share = reset($share);
+
+ // check if share have expected permissions, single shared files never have
+ // delete permissions
+ $this->assertEquals(\OCP\Constants::PERMISSION_ALL & ~\OCP\Constants::PERMISSION_DELETE, $share['permissions']);
+
+ // update permissions
+ $params = [];
+ $params['id'] = $share['id'];
+ $params['_put'] = [];
+ $params['_put']['permissions'] = \OCP\Constants::PERMISSION_SHARE;
+
+ $result = \OCA\Files_Sharing\API\Local::updateShare($params);
+
+ //Updating should fail with 400
+ $this->assertFalse($result->succeeded());
+ $this->assertEquals(400, $result->getStatusCode());
+
+ $share = \OCP\Share::getItemShared('file', $share['file_source']);
+ $share = reset($share);
+
+ //Permissions should not have changed!
+ $this->assertEquals(\OCP\Constants::PERMISSION_ALL & ~\OCP\Constants::PERMISSION_DELETE, $share['permissions']);
+
+ \OCP\Share::unshare('file', $fileInfo['fileid'], \OCP\Share::SHARE_TYPE_USER,
+ \Test_Files_Sharing_Api::TEST_FILES_SHARING_API_USER2);
+ }
+
+
+ /**
+ * @medium
*/
function testUpdateShareUpload() {
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-18 10:00:47 +0000