From 68b764bb0f1f9604ae9b601ab2b9947705307a6e Mon Sep 17 00:00:00 2001
From: Christoph Wurst <christoph@winzerhof-wurst.at>
Date: Tue, 3 Mar 2020 14:45:06 +0100
Subject: Do not allow transfer ownership when the user isn't the owner

Signed-off-by: Christoph Wurst <christoph@winzerhof-wurst.at>
---
 apps/files/lib/Controller/TransferOwnershipController.php | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'apps/files/lib')

diff --git a/apps/files/lib/Controller/TransferOwnershipController.php b/apps/files/lib/Controller/TransferOwnershipController.php
index 639e73187ca..0b33e12e88f 100644
--- a/apps/files/lib/Controller/TransferOwnershipController.php
+++ b/apps/files/lib/Controller/TransferOwnershipController.php
@@ -96,6 +96,10 @@ class TransferOwnershipController extends OCSController {
 			return new DataResponse([], Http::STATUS_BAD_REQUEST);
 		}
 
+		if ($node->getOwner()->getUID() !== $this->userId) {
+			return new DataResponse([], Http::STATUS_FORBIDDEN);
+		}
+
 		$transferOwnership = new TransferOwnershipEntity();
 		$transferOwnership->setSourceUser($this->userId);
 		$transferOwnership->setTargetUser($recipient);
-- 
cgit v1.2.3