From 9626ff81bd33389564f79dca0e1038a5cf513187 Mon Sep 17 00:00:00 2001
From: Louis Chemineau <louis@chmn.me>
Date: Thu, 30 Jan 2025 10:24:58 +0100
Subject: fix: Exclude non accepted shares when computing access list

Signed-off-by: Louis Chemineau <louis@chmn.me>
---
 lib/private/Share20/DefaultShareProvider.php   | 13 +++++++++++++
 tests/lib/Share20/DefaultShareProviderTest.php |  9 +++++++++
 2 files changed, 22 insertions(+)

diff --git a/lib/private/Share20/DefaultShareProvider.php b/lib/private/Share20/DefaultShareProvider.php
index ffe71901604..8c651dd889c 100644
--- a/lib/private/Share20/DefaultShareProvider.php
+++ b/lib/private/Share20/DefaultShareProvider.php
@@ -1399,6 +1399,19 @@ class DefaultShareProvider implements IShareProvider {
 				$qb->expr()->eq('item_type', $qb->createNamedParameter('file')),
 				$qb->expr()->eq('item_type', $qb->createNamedParameter('folder'))
 			));
+
+		// Ensure accepted is true for user and usergroup type
+		$qb->andWhere(
+			$qb->expr()->orX(
+				$qb->expr()->andX(
+					$qb->expr()->neq('share_type', $qb->createNamedParameter(IShare::TYPE_USER)),
+					$qb->expr()->neq('share_type', $qb->createNamedParameter(IShare::TYPE_USERGROUP)),
+				),
+				$qb->expr()->eq('accepted', $qb->createNamedParameter(IShare::STATUS_ACCEPTED, IQueryBuilder::PARAM_INT)),
+			),
+		);
+
+
 		$cursor = $qb->execute();
 
 		$users = [];
diff --git a/tests/lib/Share20/DefaultShareProviderTest.php b/tests/lib/Share20/DefaultShareProviderTest.php
index f578bc313aa..3c816bcb025 100644
--- a/tests/lib/Share20/DefaultShareProviderTest.php
+++ b/tests/lib/Share20/DefaultShareProviderTest.php
@@ -2698,6 +2698,7 @@ class DefaultShareProviderTest extends \Test\TestCase {
 			->setShareType(IShare::TYPE_USER)
 			->setPermissions(\OCP\Constants::PERMISSION_ALL);
 		$share1 = $this->provider->create($share1);
+		$share1 = $provider->acceptShare($share1, $u2->getUid());
 
 		$share2 = $shareManager->newShare();
 		$share2->setNode($folder2)
@@ -2710,6 +2711,9 @@ class DefaultShareProviderTest extends \Test\TestCase {
 
 		$shareManager->deleteFromSelf($share2, $u4->getUID());
 
+		$share2 = $provider->acceptShare($share2, $u3->getUid());
+		$share2 = $provider->acceptShare($share2, $u4->getUid());
+
 		$share3 = $shareManager->newShare();
 		$share3->setNode($file1)
 			->setSharedBy($u3->getUID())
@@ -2726,6 +2730,7 @@ class DefaultShareProviderTest extends \Test\TestCase {
 			->setShareType(IShare::TYPE_USER)
 			->setPermissions(\OCP\Constants::PERMISSION_READ);
 		$share4 = $this->provider->create($share4);
+		$share4 = $provider->acceptShare($share4, $u5->getUid());
 
 		$result = $provider->getAccessList([$folder1, $folder2, $file1], false);
 
@@ -2795,6 +2800,7 @@ class DefaultShareProviderTest extends \Test\TestCase {
 			->setShareType(IShare::TYPE_USER)
 			->setPermissions(\OCP\Constants::PERMISSION_ALL);
 		$share1 = $this->provider->create($share1);
+		$share1 = $provider->acceptShare($share1, $u2->getUid());
 
 		$share2 = $shareManager->newShare();
 		$share2->setNode($folder2)
@@ -2804,6 +2810,8 @@ class DefaultShareProviderTest extends \Test\TestCase {
 			->setShareType(IShare::TYPE_GROUP)
 			->setPermissions(\OCP\Constants::PERMISSION_ALL);
 		$share2 = $this->provider->create($share2);
+		$share2 = $provider->acceptShare($share2, $u3->getUid());
+		$share2 = $provider->acceptShare($share2, $u4->getUid());
 
 		$shareManager->deleteFromSelf($share2, $u4->getUID());
 
@@ -2823,6 +2831,7 @@ class DefaultShareProviderTest extends \Test\TestCase {
 			->setShareType(IShare::TYPE_USER)
 			->setPermissions(\OCP\Constants::PERMISSION_READ);
 		$share4 = $this->provider->create($share4);
+		$share4 = $provider->acceptShare($share4, $u5->getUid());
 
 		$result = $provider->getAccessList([$folder1, $folder2, $file1], true);
 
-- 
cgit v1.2.3