From 6e99b0f59d3b0278c45d42dcec01ff554a89d979 Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Thu, 9 Jun 2016 17:45:16 +0200
Subject: Make uploading possible via select and cleanup CSS

---
 apps/files/ajax/upload.php | 23 +++++++++++++++++++++++
 1 file changed, 23 insertions(+)

(limited to 'apps/files/ajax')

diff --git a/apps/files/ajax/upload.php b/apps/files/ajax/upload.php
index 9cc9c279700..98066845734 100644
--- a/apps/files/ajax/upload.php
+++ b/apps/files/ajax/upload.php
@@ -161,6 +161,15 @@ if (\OC\Files\Filesystem::isValidPath($dir) === true) {
 			$resolution = null;
 		}
 
+		if(isset($_POST['dirToken'])) {
+			// If it is a read only share the resolution will always be autorename
+			$shareManager = \OC::$server->getShareManager();
+			$share = $shareManager->getShareByToken((string)$_POST['dirToken']);
+			if (!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+				$resolution = 'autorename';
+			}
+		}
+
 		// target directory for when uploading folders
 		$relativePath = '';
 		if(!empty($_POST['file_directory'])) {
@@ -247,6 +256,20 @@ if (\OC\Files\Filesystem::isValidPath($dir) === true) {
 }
 
 if ($error === false) {
+	// Do not leak file information if it is a read-only share
+	if(isset($_POST['dirToken'])) {
+		$shareManager = \OC::$server->getShareManager();
+		$share = $shareManager->getShareByToken((string)$_POST['dirToken']);
+		if (!($share->getPermissions() & \OCP\Constants::PERMISSION_READ)) {
+			$newResults = [];
+			foreach($result as $singleResult) {
+				$fileName = $singleResult['originalname'];
+				$newResults['filename'] = $fileName;
+				$newResults['mimetype'] = \OC::$server->getMimeTypeDetector()->detectPath($fileName);
+			}
+			$result = $newResults;
+		}
+	}
 	OCP\JSON::encodedPrint($result);
 } else {
 	OCP\JSON::error(array(array('data' => array_merge(array('message' => $error, 'code' => $errorCode), $storageStats))));
-- 
cgit v1.2.3