4 files changed, 52 insertions, 4 deletions

diff --git a/lib/private/files/cache/permissions.php b/lib/private/files/cache/permissions.php
index 2e2bdb20b78..eba18af3863 100644
--- a/lib/private/files/cache/permissions.php
+++ b/lib/private/files/cache/permissions.php
@@ -36,7 +36,7 @@ class Permissions {
 		$sql = 'SELECT `permissions` FROM `*PREFIX*permissions` WHERE `user` = ? AND `fileid` = ?';
 		$result = \OC_DB::executeAudited($sql, array($user, $fileId));
 		if ($row = $result->fetchRow()) {
-			return $row['permissions'];
+			return $this->updatePermissions($row['permissions']);
 		} else {
 			return -1;
 		}
@@ -78,7 +78,7 @@ class Permissions {
 		$result = \OC_DB::executeAudited($sql, $params);
 		$filePermissions = array();
 		while ($row = $result->fetchRow()) {
-			$filePermissions[$row['fileid']] = $row['permissions'];
+			$filePermissions[$row['fileid']] = $this->updatePermissions($row['permissions']);
 		}
 		return $filePermissions;
 	}
@@ -99,7 +99,7 @@ class Permissions {
 		$result = \OC_DB::executeAudited($sql, array($parentId, $user));
 		$filePermissions = array();
 		while ($row = $result->fetchRow()) {
-			$filePermissions[$row['fileid']] = $row['permissions'];
+			$filePermissions[$row['fileid']] = $this->updatePermissions($row['permissions']);
 		}
 		return $filePermissions;
 	}
@@ -140,4 +140,17 @@ class Permissions {
 		}
 		return $users;
 	}
+
+	/**
+	 * check if admin removed the share permission for the user and update the permissions
+	 *
+	 * @param int $permissions
+	 * @return int
+	 */
+	protected function updatePermissions($permissions) {
+		if (\OCP\Util::isSharingDisabledForUser()) {
+			$permissions &= ~\OCP\PERMISSION_SHARE;
+		}
+		return $permissions;
+	}
 }
diff --git a/lib/private/files/storage/common.php b/lib/private/files/storage/common.php
index fef33cabd87..b03ae7d0517 100644
--- a/lib/private/files/storage/common.php
+++ b/lib/private/files/storage/common.php
@@ -81,6 +81,10 @@ abstract class Common implements \OC\Files\Storage\Storage {
 	}
 
 	public function isSharable($path) {
+		if (\OC_Util::isSharingDisabledForUser()) {
+			return false;
+		}
+
 		return $this->isReadable($path);
 	}
 
diff --git a/lib/private/share/share.php b/lib/private/share/share.php
index 16bc492d383..46796c26370 100644
--- a/lib/private/share/share.php
+++ b/lib/private/share/share.php
@@ -485,15 +485,23 @@ class Share extends \OC\Share\Constants {
 			$itemSourceName = $itemSource;
 		}
 
-		// verify that the file exists before we try to share it
+		// check if file can be shared
 		if ($itemType === 'file' or $itemType === 'folder') {
 			$path = \OC\Files\Filesystem::getPath($itemSource);
+			// verify that the file exists before we try to share it
 			if (!$path) {
 				$message = 'Sharing %s failed, because the file does not exist';
 				$message_t = $l->t('Sharing %s failed, because the file does not exist', array($itemSourceName));
 				\OC_Log::write('OCP\Share', sprintf($message, $itemSourceName), \OC_Log::ERROR);
 				throw new \Exception($message_t);
 			}
+			// verify that the user has share permission
+			if (!\OC\Files\Filesystem::isSharable($path)) {
+				$message = 'You are not allowed to share %s';
+				$message_t = $l->t('You are not allowed to share %s', array($itemSourceName));
+				\OC_Log::write('OCP\Share', sprintf($message, $itemSourceName), \OC_Log::ERROR);
+				throw new \Exception($message_t);
+			}
 		}
 
 		//verify that we don't share a folder which already contains a share mount point
diff --git a/lib/private/util.php b/lib/private/util.php
index c018721afe3..23c7053002c 100755
--- a/lib/private/util.php
+++ b/lib/private/util.php
@@ -97,6 +97,29 @@ class OC_Util {
 	}
 
 	/**
+	 * check if sharing is disabled for the current user
+	 *
+	 * @return boolean
+	 */
+	public static function isSharingDisabledForUser() {
+		if (\OC_Appconfig::getValue('core', 'shareapi_exclude_groups', 'no') === 'yes') {
+			$user = \OCP\User::getUser();
+			$groupsList = \OC_Appconfig::getValue('core', 'shareapi_exclude_groups_list', '');
+			$excludedGroups = explode(',', $groupsList);
+			$usersGroups = \OC_Group::getUserGroups($user);
+			if (!empty($usersGroups)) {
+				$remainingGroups = array_diff($usersGroups, $excludedGroups);
+				// if the user is only in groups which are disabled for sharing then
+				// sharing is also disabled for the user
+				if (empty($remainingGroups)) {
+					return true;
+				}
+			}
+		}
+		return false;
+	}
+
+	/**
 	 * Get the quota of a user
 	 * @param string $user
 	 * @return int Quota bytes